Hackers Posted Login Credentials of the World’s Largest Corporations For $175,000

Hackers are selling data center login credentials of some of the world’s largest corporations, including Alibaba, Amazon, Apple, BMW AG, Microsoft, and Walmart among others, reports Bloomberg. The list of corporations also includes some in India among them, Bharti Airtel and the National Internet Exchange of India.

According to the report, a US-based cybersecurity research firm Resecurity Inc revealed that hackers got hold of login credentials for two of the largest data center operators in Asia: Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres. According to Resecurity, about 2,000 customers of GDS and STT GDC were affected.

The leaked data include credentials in varying numbers for some of the world’s biggest companies, including Alibaba Group Holding Ltd., Amazon.com Inc., Apple Inc., BMW AG, Goldman Sachs Group Inc., Huawei Technologies Co., Microsoft Corp., Walmart Inc., Bharti Airtel Ltd., Bloomberg LP, ByteDance Ltd., Ford Motor Co., Mastercard Inc., Morgan Stanley, Paypal Holdings Inc., Porsche AG, SoftBank Corp., Tencent Holdings Ltd., Verizon Communications Inc., and Wells Fargo & Co., according to the security firm.

The report also revealed that hackers have logged into the accounts of at least five of the affected firms. At GDS, the hackers accessed an account for the China Foreign Exchange Trade System, an arm of China’s central bank, operating the government’s main foreign exchange and debt trading platform.

At STT GDC, the hackers accessed accounts for the National Internet Exchange of India, an organization that connects internet providers across the country, and three others based in India: MyLink Services Pvt., Skymax Broadband Services Pvt., and Logix InfoSecurity Pvt., the report said.

However, the report added that it’s not clear what the hackers did with the other logins.

According to Security, the hackers had access to the login credentials for more than a year before they posted it for sale on the dark web last month, for $175,000. The hackers said in the post,

“I used some targets…But unable to handle as a total number of companies is over 2,000.”

The post said, “DBs contain customer information, can be used for phishing, access of cabinets, monitoring of orders and equipment, remote hands orders…Who can assist with targeted phishing?”

Resecurity in a blog post on February 12 said, “The initial indicators of this activity were identified in September 2021 – proper early-warning threat intelligence notifications have been disseminated to two data center organizations based in China and Singapore. Additional intelligence was acquired at the end of 2022 related to the same activity and addressed for further incident response (IR) to the appropriate parties. The most recent update was received in January 2023 and shared in a timely manner. Around that time both data center organizations began forcing their clients to change their passwords and released a notification of a security policy update.”

“The initial early-warning threat notification about this activity was sent around September 2021 with further updates during 2022 and January 2023,” the cybersecurity firm added.

In late January, after GDS and STT GDC changed customers’ passwords, the report said.

According to Security, even without valid passwords, the data would still be valuable — allowing hackers to craft targeted phishing emails against people with high-level access to their companies’ networks.