The New Jersey fax company Fax Express appears to have had more than half a million of their customers’ emails and dehashed, plain text passwords leaked on a popular Russian hacking forum. According to its website, Fax Express has been in business for 40 years, having been in operation since 1980.
This apparent Fax Express database is connected to the domain shredderstoo.com, which seems to be a mirror site of faxexpress.com. The database leak was dehashed from hashed database tables originating from Cit0day.in leaks, in which 23,000 hacked databases were published in early November.
The now-defunct Cit0day.in was a private service for cybercriminals that collected hacked databases and allowed their customers to access usernames, emails, addresses, and plain text passwords for a subscription fee.
We first attempted to contact Fax Express’ shredderstoo.com on November 16 to inform them about the leak, but have not received a response yet from the company.
What is Fax Express?
Fax Express is an Ocean, NJ-based business that sells fax machines, copiers, printers, shredders, and related items. Although its Contact Us page states that it’s been in business since 1980, its website seems to have been registered from 1996.
One interesting thing about this leaked data is that the website it refers to – shredderstoo.com – has a Fax Express logo. Going to faxexpress.com, it seems to be a mirror site. A quick Google search of specific contact info shows that there seem to be at least 8 domains connected in this Fax Express cluster:
- shredderstoo.com
- faxexpress.com
- andshredderstoo.com
- copierstoo.com
- printerstoo.com
- andprinterstoo.com
- copiersexpress.com (this one doesn’t have the Fax Express logo)
- 4copiers.com
It’s uncertain right now whether the leaked data comes from all of these sites, from a sort of centralized database, or if it is only from shredderstoo.com. Seeing as there are more than 560,000 records, we’d guess that it’s from the entire Fax Express cluster.
The leaked data contains email addresses and plain text passwords, as seen in the sample screenshot below:
Who had access to the data?
The apparent Fax Express/shredderstoo.com data was freely available on a popular Russian hacking forum. For that reason, it’s reasonable to assume that a sizable portion of the users on the forum had access to the data.
We attempted to reach the owners of Fax Express on multiple occasions, but have not received a response yet.
What’s the impact of the leak?
While the apparent Fax Express/shredderstoo.com leak doesn’t contain particularly “sensitive” data, such as credit card, passport or social security numbers, this type of data is still very useful for cybercriminals.
Scammers can use email addresses and dehashed, plain text passwords for a variety of attacks. This includes not only phishing attacks, but also matching these dehashed passwords to other online accounts connected to the same email address or phone number.
Because most people reuse the same passwords for different accounts, cybercriminals can quickly escalate the type of data they are able to steal. If, for example, people use the same passwords on their email accounts, the cybercriminals might be able to take over all other email-connected accounts by changing the passwords on those accounts and confirming the changes in the email.
Next steps
If you are an administrator of Fax Express/shredderstoo.com or have a similar database, it’s important that you:
- Hash your passwords properly, with something like the National Institute of Standards and Technology (NIST)-recommended SHA-256 or better
- Beyond hashing, you should also salt your passwords
- After that, you should patch your system in general, including your CMS. This is because breaches normally happen due to an outdated or unpatched system, weak password, or access control issues
If you are now or have been a customer of Fax Express/shredderstoo.com, it’s likely that your data has been leaked. To see if you’ve been affected by this breach, we recommend you:
- Check our personal data leak checker to see if your email address is included in the leak. The CyberNews.com Data Leak Checker currently has the largest database of known breached accounts, with more than 15 billion compromised accounts.
- If your email address was leaked, you should change your password immediately. We recommend using a reliable password manager to create and store your passwords.
- Be vigilant: watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on any links from these suspicious emails.
