ExploitHub, which sells code to attack software security holes, has been hacked, leading to database leak of the website. The online boutique ExploitHub was hacked by group called Inj3ct0r Team, which apparently operates an exploit bazaar to rival ExploitHub, has taken the responsibility of the hacking.
“We hacked exploithub.com because the people who publish private exploits on exploithub.com need know that the ExploitHub Admins are lamers and cannot provide them with adequate security. We siphoned off $242,333 (£150,134) in downloads. It appears the group may have infiltrated the website via its Magento eCommerce installation,” the team said.
Explaining the scenario, ExploitHub said that a combination of human error and poor security controls allowed the breach to take place, but the software goods were not exposed.
“The database on that server however only contains information used by the web application itself as well as product information such as exploit name, price, and author, but does not contain any actual product data such as exploit code. The product data is stored elsewhere and there is currently no evidence that the storage location was accessed by any unauthorized party or that any of the exploit code or other product data has been compromised or stolen as has been claimed, however our investigation is ongoing,” ExploitHub stated.
In this scenario, damage control appears to be somewhat easy for ExploitHub, says HackANGLE editor Kyt Dotson; by making sure that only the information necessary for operations was exposed to the web (and thus the exploit) it reduced the overall likelihood that attackers gained access to more sensitive information. Compartmentalization isn’t just a good programming and operations technique: it’s also an important element of security.
ExploitHub seems like an ironic target for hackers and they have been keeping their customers up-to-date on the breach.