After losing 4 million emails, and information on its admins, The Pirate Bay has been taken down for maintenance (screenshot of cached homepage).
Researcher involved said he briefly considered selling the data to the RIAA/MPAA but decided not to

In an interview with security blog Krebs on Security, Argentinian researcher Ch Russo revealed that he and two of his associates discovered multiple SQL injection vulnerabilities on the world's most popular torrent siteThe Pirate Bay.  They successfully exploited these vulnerabilities to gain 4 million users user names, e-mail, and internet addresses.

While the vulnerability exploited is quite different, the leak is very reminiscent of the recent snatch of iPad buyers' email addresses by Goatse Security.  Unlike that incident, though, the purloined information has the potential to put a number of people in sticky legal water if it falls into certain hands (i.e. the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA)).

Russo said he briefly considered how much the RIAA and MPAA would give him for the info, but decided against selling it.  He states, "Probably these groups would be very interested in this information, but we are not [trying] to sell it.  Instead we wanted to tell people that their information may not be so well protected."

Brian Krebs -- apparently a 
TPB user himself -- verified that Russo had this info by sending him his username, in exchange for the gathered email and password hash.  Krebs verified these items were indeed correct, validating Russo's claims.

Russo says he made no alterations or deletions to the records in the system.

He did, however, gain some even more valuable information than the massive record of average Joe and Jane users.  He also looted a list of the user names and MD5 hashed passwords of the top administrators and moderators for the site.  That list would be particularly of interest to the RIAA and its international sister organization, IFPI, which have long fumbled over attempts to try to shut the site down.

Russo contacted The Pirate Bay about his findings, but has received no response.  The site did remove the insecure component, though, safeguarding itself from future attacks of this nature.  Russo, who is only 23, is leveraging the incident as a bit of a publicity stunt of sorts in order to promote his security exploit software package Impassioned Framework.  He hopes to sell that to business as a tool to perform simulated attacks on their networks and verify security, similar to what the popular Eleonore exploit kit does.

The Pirate Bay has released no official response to the news of the breach.  The latest development is that the homepage appears to be down and displays this message:

Upgrading some stuff, database is in use for backups, soon back again.. Btw, it's nice weather outside I think.

Apparently they took the leak pretty seriously.

"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer

Latest Blog Posts
T-Mobile Data Problems
Saimin Nidarson - Oct 20, 2016, 10:17 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki