Hackers Selling Data Centre Logins Credentials Of Top Global Corporations
The Login credentials of some of the largest corporations in the world are being sold by hackers, including those of Alibaba, Amazon, Apple, BMW AG, Microsoft, and Walmart, among others, according to the researcher at Resecurity and a report by Bloomberg.
The list of the victims also includes some Indian corporations such as Bharti Airtel and the National Internet Exchange of India.
Cybersecurity research firm, Resecurity Inc, based in the United States, has revealed that the login credentials for two of the largest data center operators in Asia, Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres (STT GDC), have been compromised and about 2,000 customers of GDS and STT GDC were affected.
Affected Firms
According to the Credentials Resecurity research, leaked data include credentials varying numbers for some of the world’s largest companies, including Alibaba Group Holding Ltd., Amazon.com Inc., Apple Inc., BMW AG, Goldman Sachs Group Inc., Huawei Technologies Co., Microsoft Corp., Walmart Inc., Bharti Airtel Ltd., Bloomberg LP, ByteDance Ltd., Ford Motor Co., Mastercard Inc., Morgan Stanley, Paypal Holdings Inc., Porsche AG, SoftBank Corp., Tencent Holdings Ltd., Verizon Communications Inc., and Wells Fargo & Co., have been leaked.
Resecurity’s Yoo said that in January, his firm’s undercover operative pressed the hackers for a demonstration of whether they still had access to accounts. The hackers provided screenshots showing them logging into accounts for five companies and navigating to different pages in the GDS and STT GDC online portals
The report also indicated that hackers have already logged into the accounts of at least five affected firms. The hackers accessed an account for the China Foreign Exchange Trade System at GDS, which is responsible for operating the government's main foreign exchange and debt trading platform. Additionally, hackers also accessed accounts for the National Internet Exchange of India and three other Indian companies at STT GDC.
Data That Hacker Accessed
The hackers obtained email addresses and passwords for more than 3,000 people at GDS — including its own employees and those of its customers — and more than 1,000 from STT GDC, according to Bloomberg News.
The hackers also stole credentials for GDS’s network of more than 30,000 surveillance cameras, most of which relied on simple passwords such as “admin” or “admin12345,” the documents show. GDS didn’t address a question about the alleged theft of credentials to the camera network, or about the passwords.
The number of login credentials for the customer-support websites varied for different customers. These are as follows —
| Corp Name | No. of Logins |
|---|---|
| Alibaba | 201 |
| Amazon | 99 |
| Microsoft | 32 |
| Baidu Inc. | 16 |
| Bank of America Corp. | 15 |
| Bank of China Ltd. | 7 |
| Apple | 4 |
| Goldman Sachs | 3 |
Resecurity Chief Executive Officer Gene Yoo said his firm uncovered the incidents in 2021 and found that the hackers only need one valid email address and password to access a company’s account on the customer service portal.
Among the other companies whose workers’ login details were obtained, according to Resecurity and the documents, were: Bharti Airtel Ltd. in India, Bloomberg LP (the owner of Bloomberg News), ByteDance Ltd., Ford Motor Co., Globe Telecom Inc. in the Philippines, Mastercard Inc., Morgan Stanley, Paypal Holdings Inc., Porsche AG, SoftBank Corp., Telstra Group Ltd. in Australia, Tencent Holdings Ltd., Verizon Communications Inc., and Wells Fargo & Co.
The Dark Web Posting
According to Resecurity, the hackers had access to the login credentials for over a year before they posted them for sale on the dark web in January 2023 for $175,000.
The leaked data contains customer information that can be used for various purposes such as phishing, access of cabinets, monitoring of orders and equipment, and remote hand orders. However, it remains unclear what the hackers did with other logins.
How The Leaked Data Came To Light
The cybersecurity firm, Resecurity, discovered the initial indicators of this activity in September 2021 and sent early warning threat intelligence notifications to two data center organizations based in China and Singapore.
Additional intelligence was acquired at the end of 2022, related to the same activity, and further incident response (IR) was initiated. In late January, GDS and STT GDC changed customers' passwords after which the report was published.
In late January, after GDS and STT GDC changed customers’ passwords, Resecurity spotted the hackers posting the databases for sale on a dark web forum, in English and Chinese.
Response From The Data Centres
GDS Holdings confirmed that a customer support website was breached in 2021, but the hacker attack was limited in scope and information to non-critical service functions such as making ticketing requests, scheduling physical delivery of equipment, and reviewing maintenance reports.
According to them, requests made through the application typically require offline follow-up and confirmation, and as the application is basic in nature, the breach did not result in any threat to their customers' IT operations.
STT GDC, on the other hand, claims that the IT system in question is a customer service ticketing tool, which has no connection to other corporate systems or any critical data infrastructure. They add that no unauthorized access or data loss was observed.
Affected Corps Responses
The affected corp are some of the world’s biggest companies, including Alibaba Group, Amazon, Apple, BMW, Goldman Sachs, Huawei, Microsoft, and Walmart. As Bloomberg reached them for the comments they responded with the following statements -
Microsoft said,
“We regularly monitor for threats that could impact Microsoft and when potential threats are identified we take appropriate action to protect Microsoft and our customers.”
A spokesperson for Goldman Sachs said,
“We have in place additional controls to protect against this type of breach and we are satisfied that our data was not at risk.”
The automaker BMW said it was aware of the issue. But a company spokesperson said,
“After assessment, the issue has a very limited impact on BMW businesses and has caused no damage to BMW customers and product-related information.” The spokesperson added, “BMW has urged GDS to improve the information security level.”
The Cyber Security Agency of Singapore said the agency
“is aware of the incident and is assisting ST Telemedia on this matter.”
Baidu said,
“We do not believe that any data was compromised. Baidu pays great attention to ensure the data security of our customers. We will keep a close eye on matters such as this and remain on alert to any emerging threats to data security in any part of our operations.”
A representative for Porsche said,
“In this specific case, we have no indication that there was any risk.”
A SoftBank representative said a Chinese subsidiary stopped using GDS last year.
“No customer information data leakage from the local China company has been confirmed, nor has there been any impact on its business and services,”
A spokesperson for Telstra said,
“We are not aware of any impact to the business following this breach,”
Mastercard representative said,
“While we continue to monitor this situation, we are not aware of any risks to our business or impact to our transaction network or systems.”
A representative for Tencent said,
“We are not aware of any impact to the business following this breach. We manage our servers inside data centers directly, with data center facility operators having no access to any data stored on Tencent servers. We have not discovered any unauthorized access of our IT systems and servers after investigation, which remain safe and secure.”
A spokesperson for Wells Fargo said it used GDS for backup IT infrastructure until December 2022.
“GDS did not have access to Wells Fargo data, systems, or the Wells Fargo network,”
National Internet Exchange of India said it wasn’t aware of the incident and declined further comment. None of the other organizations in India responded to requests for comment.
The National Computer Network Emergency Response Technical Team/Coordination Center of China, a non-governmental organization that handles the cyber emergency response, didn’t respond to messages seeking comment. The other companies all declined to comment or didn’t respond.
Conclusion
Hackers selling login credentials of some of the world’s largest corporations is alarming. These attacks can have devastating consequences, especially if hackers gain physical access to clients' servers and install malicious code or additional equipment.
All companies should take this seriously and implement tighter security measures to prevent unauthorized access.