The ExploitHub folks have put out an official response to the news of their web site being hacked. According to the post on Facebook they basically admitted their fault regarding a bad configuration on their web server and noted that what was stolen was just a list of exploits and associated product information. No actual exploits were stolen as they reside on a separate server and there is no indication that that server was affected.
Today, the ExploitHub marketplace web application server was compromised. A group called “Inj3ct0r Team” who themselves host an exploit database has claimed responsibility for the attack. ExploitHub is obviously a high profile target as the ExploitHub market houses exploits and other products that Authors have submitted to market to Customers via the marketplace. While we do not allow 0day in the market, and all exploits in the market are for publicly disclosed vulnerabilities, this product content is still of high value to both our Authors and our Customers.
After our initial investigation we have determined that the web application server itself was compromised and access to the database on that server was available to the attacker. The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part. The database on that server however only contains information used by the web application itself as well as product information such as exploit name, price, and Author, but does not contain any actual product data such as exploit code. The product data is stored elsewhere and there is currently no evidence that the storage location was accessed by any unauthorized party or that any of the exploit code or other product data has been compromised or stolen as has been claimed, however our investigation is ongoing.
The exploit information provided in Inj3ct0r’s attack announcement text file and SQL dump consists of exploit names, prices, the dates they were submitted to the market, the Authors’ IDs, and the Authors’ usernames, all of which is publicly available information retrievable from the web application’s normal browse and search functions; this is not private information and it was already publicly accessible by simply searching the product catalog through the website.
What are your thoughts on ExploitHub’s response to this breach? Post your comments below. Today’s post pic is from Twitter.com.