We are well aware of the data breaches of Foodmandu and Vianet in the past. Yet another data breach has surfaced out of the blue. The data breach seems to be first posted on twitter at exactly 9:12 PM of Oct 8, 2020. Under the twitter handler @Aparich95406002. I have tried to wrap my head around this hacked eSewa in my own way, read below.
UPDATE: eSewa has published a public announcement on their Facebook page, read more here. Claiming that their service was not compromised.
See: this tweet for more information. This post is now invalid but you can go through it ;).
About the tweet
Let us take a look at the tweet and see what the hacker actually said.
It also looks like the hacker has posted a tiny bit of data from the actual dump. He also apologized for sharing the data of those who are in on that list.
The hacker stated that it was sensible thing to do right after a security breach was changing the credentials. But another tweet claims that nothing much can be really achieved by changing password. It looks like its not only about email and password.
Who is @Aparich95406002 ?
Just like everyone out there I am unaware of the identity of the hacker. And I don’t think anyone will ever know as it really defeats the purpose of being a black-hat or a grey-hat.
It must be far fetched but the hacker really likes marshmallow’s music. Which I think might be true as the profile picture is really similar to what marshmallow wears over his head.
Also it is possible that the twitter handler might be managed by multiple hackers with fine expertise about cyber security. But yeah there’s not much information about the hacker. As I don’t see any previous breaches by the same hacker. There’s not even a hint about something else.
So for this article I have assumed this is just one person. As it is hard but not impossible to look for the details by a single person.
The intention behind the hack
It doesn’t look like the hacker wants anything much. And from the wordings on twitter it’s clear that and it wasn’t for money. But that is just my speculation.
The hacker has subliminal warning on the tweet that the eSewa cannot really do much about the hack. As it was something which should have been thought by eSewa before this incident.
And like most of other hackers maybe the hacker may just want to display their skill set. As it is really not easy to do something like this.
But in a country where bug bounty is nonexistent up until now. This is expected.
How was eSewa hacked ?
Also this was really not disclosed by any of the parties involved. But as I look closer to the tweet and think about the possibilities.
Look at what the hacker has hinted.
Good step with requesting all users to change pass. But don’t you think its late?? Should have used OTP in web login before.@Aparich95406002
It looks like the fault is on the authentication mechanism. And the attacker somehow manage to exploit it.
And since login doesn’t really use OTP. Hacker has stated that they should have. Could this have prevented the breach in the first place ?
But again this is just what I have speculated. And just because login can be exploited doesn’t mean whole server can be compromised ( which is possible ). But the possibilities are endless.
What is eSewa doing about the data breach ?
So far I do not see any announcement made by the eSewa. Except for this image posted on their website’s homepage.
It doesn’t really state what happened and why they must change password. As the web app never really urged me to change my couple of year old password.
They have not informed about the data breach which we can clearly see stated on the twitter handler with some demo data.
Is eSewa trying to stay as low as possible and hide the breach ? Or was there no breach and it was just to make sure everyone updates their password.
What should you do ?
You should change the password of your account. As an email has been sent to everyone with a link to reset the password.
I have previously written about password security. You should always use different passwords for different account. And use a complex password scheme like mixed upper-lower-special-numeric.
If you want to learn possible ways to secure password: Password 101: You are overlooking your own security
Which means that if the data has been released publicly, you might receive spam and advertisements.
But if you don’t use same password for multiple accounts its not really a big issue. But if you do, you should really not be ding that.
Here’s a video explaining why you should not use the same password for multiple online accounts.
What’s interesting ?
As we can see from the tweet that the password is clearly visible. And there is so much wrong about it. And it makes me draw just 2 conclusions.
The hack is fake
Well why do I think the breach is fake ?
It is because passwords should not be stored in any form that can be reversed. Storing password should be like one way highway or black-hole. Data goes in but never comes out.
There is something called hashing which takes input of any length and produces a limited set of characters. And it cannot be reversed in any way.
The only possible way is to try is guessing it. Which can take anywhere between forever and eternity considering the hash function used.
If this is true this article really makes no sense at all. But there’s one more possibility.
eSewa stores passwords in plain text
What is plain text password ?
It is when you store the passwords like text in a text file, not secure at all. If the server gets breached every account’s credentials will be accessible.
If you read the above section. Hashing must be performed that way the same output is produced for the same input. And even if the hash gets leaked nothing really happens. You password is still secure.
That being said it’s possible that eSewa is storing user’s passwords in plain text. Which might be the case considering the image posted by eSewa on their homepage urging people to change their passwords.
Even if they do not store password in plain text and encrypt it before storing. This too is just as insecure. Why ?
Because encryption requires a certain key to encrypt and decrypt the data. Which should be known to server and can be easily intercepted once the hacker gains access to the server. Not much security there.
Was the server compromised ?
Eveything has lead me to assume that yes the server was compromise. How ?
Dumping user’s data from the web GUI is kind of improbable. Might be possible but I have limited knowledge on the topic.
Someone must actually bypass the security in place or the server must explicitly send back the data.
Everything is pointing towards this because
And what’s interesting is that they have actually sent a password reset link to each user’s email.
They have stated that they have various measures for security. But then again they have this line that made me really curious.
After a transaction, your private information (credit cards, social security numbers, financials, etc.) will be kept on file for more than 60 days in order to make it easy for you to use repeatedly.eSewa
Maybe i am misinterpreting the “kept on file” as it can just mean stored but not on actual file. But considering hacker has showed us some plain text passwords. It makes me wonder what the hacker meant by “Be prepared for something big 🙂”. Also it makes me doubt the eSewa’s security measures. Comment below about what you think ?
Remember to not trust yourself anymore than you trust the service providers. As security is an ongoing process and not a product.
How do you really feel about the eSewa was hacked news ? Comment below.
Will update with the latest advancements on this topic.