Doxbin Gets…Doxxed? Leak Purportedly Sourced From Paste Site Exposes More Than 41,000 User Credentials
On January 5, a threat actor on the illicit forum XSS posted a leak allegedly sourced from Doxbin[.]com, a well known paste site where users would post doxxing information including personally identifiable information (PII) on individuals and family members. In the post, they noted that the data was not taken by them and originally appeared on a Telegram channel used for communications by Doxbin users.
Flashpoint analysis: What was leaked and what it means
Flashpoint analysts conducted an analysis of the alleged Doxbin database and identified a total of 41,544 unique user entries. Fields in the dataset include usernames, email addresses, and passwords in addition to user agent strings as stated above.
A cached page of Doxbin’s terms of service page states: “The only ‘real’ information we obtain is your user agent string which is wiped from our servers after 7 days,” which suggests that the administrators of Doxbin lied about the information that they collect on users.
The volume of unique usernames within this dataset suggests an average number of users on the site are interested in doxxing attempts as compared to the broader illicit online ecosystem. Based on analysis of the types of email addresses that appear in the dump, most users are unlikely to be sophisticated threat actors. Additionally, it is worth noting that one of the users appearing in the dataset may access the site for research or out of idle interest rather than in an effort to conduct doxxing attempts or submit doxxes.
Alleged double-crossing and in-fighting
Following the leak of this database, Doxbin[.]org was updated to display a message claiming that the previous owner of the site decided to leak the database after selling the site back to the original owners. The message claimed that this previous owner is a minor and included their alleged aliases and details about other illicit online activities.
Threat actors within illicit communities that operate sites such as Doxbin regularly harass and conduct retaliatory activities against one another, including doxxing or attributing malicious activities to the targets of their ire. Doxing can also be used as leverage or extortion against administrators of a website. For example, in the past year Flashpoint observed threat actors publish personal details of the owners of the Russian language marketplace Hydra, and the administrators of the Russian-language Narco forum Legalizer.
Getting ahead of the message
The post also claimed that any other assertions from actors about having dumped the database from Doxbin were false, which may have been in response to the reposts of the data that have appeared on other sites such as Raid Forums. Sometime later, the site went offline and as of this writing is not accessible; administrators have claimed that it is down for maintenance.
What’s a dox?
The goal of doxxing is to obtain any and all information pertaining to the target; valuable information in so-called “name and shame” campaigns includes the target’s full name, address, phone number, employer, family and friends’ names, and compromising pictures. The priority information for doxxers is dissimilar to that for hacktivists, who typically attempt to gain additional personally identifiable information (PII), such as date of birth, Social Security Number, and financial information. Doxxing techniques range from simplistic Google searches to the use of more fee-based and/or advanced tools, such as Maltego and Intelius.
In this capacity, most doxxing attempts are conducted by inexperienced operators who infrequently validate their findings through cross-referencing or deductive reasoning to eliminate false positives. These shortfalls frequently lead to false accusations and misinformation, putting non-affiliated individuals at risk.
Identify and mitigate cyber risks with Flashpoint
Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.