Russian Streaming Platform Start Suffers Data Breach44 Million Users Possibly Affected; Data Appears on Underground Forums
Russian media streaming service Start acknowledged a data breach involving email addresses and phone numbers while seeking to downplay the severity by telling users that no passwords, payment card or viewing data was involved.
The vulnerability that led to the breach has been fixed, the company says.
Start has a presence in 174 countries; no threat actor has claimed responsibility for the attack.
Russian-language Telegram channel "Data Leak, which monitors the dark web for possible data leak claims, published what appear to be screenshots of the leaked information on the platform. It says the 72-gigabyte leaked database contains information on nearly 44 million customers, and that 24.6 million of them are from Russia, 2.3 million from Kazakhstan, 2.1 million from China and 1.7 million from Ukraine.
Threat actors appear to have exploited an exposed MongoDB database flaw to exfiltrate the data in JSON format. Data Leak contradicts Start's statement by asserting the exposed information includes customer usernames, hashed MD5 encrypted passwords, IP addresses, countries of registration, subscription start and end dates and last login details. The entries are from Sept. 19, 2017, to Sept. 22, 2021.
Data Leak says it verified the records by randomly checking some entries from the dump via the password recovery function on the start[.]ru website. "All logins (e-mail) from these records turned out to be valid," it says.
Information Security Media Group could not independently verify these claims. Start did not respond to ISMG's request for comments.
Start says it is not necessary for users to change their passwords due to this incident but encourages them to do so routinely with unique passwords as a best practice.
Streaming media have been one target of many in the cyber conflict initiated by Russia's February invasion of Ukraine. Hacking collective Anonymous claimed in March to have hacked into Russian streaming services Wink and Ivi as well as TV channels to broadcast war footage. The June broadcast of the Football World Cup 2022 qualifier game between Wales and Ukraine on Ukrainian streaming platform Oll.tv was interrupted by Russia propaganda.
Ukrainian radio broadcaster TAVR Media also suffered a cyberattack in July in which its infrastructure was used to transmit disinformation about the health of Ukrainian President Volodymyr Zelenskyy (see: Malware Attacks and Disinformation Campaigns Target Ukraine).