A hacker seems to sell confidential information that is claimed to have been robbed from an OTP firm. And this OTP firm perhaps has some of the most prominent technology and business giants on its customer's board list which includes Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter, etc.
A one-time password ( OTP ), also called a one-time pin or dynamic password is a legitimate password on something like a computer system, or even on a digital device, for a single login or transaction. Besides, the very same hacker claims to also have real-time access to the company's OTP device. The InfoSec researcher, Rajshekar Rajaharia, however, didn’t agree with the hacker behind the identification of such a suspected breach.
“The seller was active on the dark web forum for a long time claiming to sell live access to OTP and 2FA but from what we have seen there are some chances that the data might be old as we have found some clues that changes have been made with dates. Nevertheless, we are still investigating because data seems real otherwise,” stated Rajaharia.
Rajaharia also provided sample information with confirmation of the presence of one-time codes and even if not all of them are currently available or legitimate, a purchaser might find valuable work throughout the platform and its policies. It offered 50GB of exfiltrated data, among several other details. The cost of access was reduced from $18,000 to $5,000 for the introductory mark. Though the name of the company is listed in the listing, for security purposes it is considered unethical to disclose it.
Other details included in the selling package are PII, including SMS logs, mobile numbers, e-mail addresses, SMPP details, customer documentation, and much more. Since 2017, the data itself is comprehensive. The seller switched the listing from the dark web marketplace to Telegram, as per the latest revelation, where sales were continued, however, the number of buyers was unknown. Also, 10 million OTPs appear in the data packs.
The company in conversation refused all data infringement charges by claiming that perhaps the systems were as stable as ever and it could not verify the authenticity of the alleged data.
Also, the National Stock Exchange of India received a letter from them, which reads, “We would like to highlight that unverified posts and claims are being circulated about an alleged data breach at [company’s name retracted]. Based on the evidence we have seen thus far, it is not from any of our current systems, and therefore we cannot verify the authenticity of the alleged data breach.”
However, the company stated that they were engaged with an expert in a third party to support them in its system audit, so it would be noticed and uprooted if there was a web shell in there.
