Cybersecurity neglect has resulted in a massive data leak affecting nearly 100,000 users in Italy who purchased software licenses.
Buying digital products from third-party vendors not affiliated with the original source always carries risks, with each step in the supply chain adding additional attack surfaces. On March 13th, the Cybernews research team discovered an open web directory belonging to Romania-based license key reseller Macrosoft Store S.R.L.
With a client base mainly in Italy, the store resells license keys for digital software, including Windows, Windows Server, Microsoft Office, Adobe Creative Suite, AutoCAD, and various antivirus software.
The discovered directory contained a recent database backup of the store’s website, allowing anyone to download the backups and access the private user data stored within. The data leaked could be used for spam, doxxing, phishing attacks, malware attacks, business intelligence, and identity theft.
The leaked data included:
- Names
- Email addresses
- Phone numbers
- Home addresses
- Dates of birth
- Partial payment information
- User device and network information
- Live chat messages
- Hashed passwords
Some user passwords were stored using the secure Bcrypt hashing algorithm, while others were hashed using an old, insecure hashing algorithm MD5, making them vulnerable to cracking.
The leaked data revealed that the license key store works under multiple brands – macrosoft.store, macrosoft.me, ciaokey.it, as well as previously used and no longer active domains – megakey.eu, microesd.fr, microesd.pl, microesd.ro, microesd.co.uk.
The data in the database backup also suggests that the Macrosoft store has ties to multiple other companies, the majority of which are registered under the same address in Romania.
Gray market of license resellers
The industry of third-party license key resellers, especially the selling of game keys, has been heavily scrutinized and often referred to as the gray market.
The sellers are frequently accused and sometimes proven, of acquiring licenses through illegitimate or unethical methods. One such is selling secondhand keys purchased with stolen credit cards.
G2A, a digital marketplace for gaming products, has been previously accused of “facilitating a fraud-fueled economy." However, the marketplace defended itself as its business model is facilitating a platform for third-party vendors.
Your email address will not be published. Required fields are markedmarked