‘Gnosticplayers’ appears to have struck again last week, with the notorious hacker claiming to be behind the 24 May data breach that saw the personal details of almost 140 million Canva users accessed.
The graphic design platform detected and stopped the attack as it was occurring, but not before the malicious actor accessed data including usernames, real names, email addresses, countries, encrypted passwords and partial payment data.
Gnosticplayers, who is believed to be behind hacks involving more than 40 large companies in 2019, contacted ZDNet immediately to notify them of and claim responsibility for the breach, as he has various times in the past.
“It’s common to brag about hacks on dark web forums, but contacting journalists directly and spreading awareness like this is almost unheard of,” Oz Alashe, CEO of intelligent cyber security awareness platform CybSafe, told Verdict.
So why would a hacker use this unusual tactic, and how much this notoriety benefit somebody like Gnosticplayers?
Attracting a buyer
Given the ease of sale that popular dark web marketplaces provide cybercriminals, financial gain is the most likely incentive for hackers to carry out such a breach.
That appears to be the case for Gnosticplayers, who has listed close to one billion compromised records on the dark web since February, requesting varying amounts of bitcoin in exchange for this stolen data.
Cybersecurity experts feel that the attempt to spread details of the breach in the mass media is a likely effort to promote the data that has been stolen.
Given that Dream, the dark web marketplace where Gnosticplayers previously sold their data, shut down last month, it “makes sense” that they would reach out to the media to continue to advertise their hacks, Daniel Smith, an information security researcher for Radware’s Emergency Response Team, believes.
Valuable data for cybercriminals, despite Canva’s quick response
While bringing further attention to the breach could lower the value of the compromised data, given Canva users will change their passwords if the company hasn’t reset them already, the data will still hold a lot of value for cybercriminals to exploit.
“These passwords will still have a lot of value,” Alashe told Verdict. “That’s because, even after a breach, and even after one that is well-publicised, many affected users won’t voluntarily change them.”
“What’s more, since most users reuse passwords across multiple platforms, even if people do change their Canva passwords, it’s likely that other accounts are still compromised.”
Cybercriminals will use this data to carry out credential stuffing attacks. This involves trying a large number of email and password combinations in the hopes of breaching an account. Given that password reuse is still rife, credential stuffing can provide cybercriminals access to accounts not just on the breached platform, but also to other websites and platforms across the web.
Likewise, cybercriminals can also use breached passwords in their phishing attempts in order to trick victims into handing over money. Cybercriminals carry out sextortion scams, for example, where they claim to have compromised the victim’s system and recorded compromising footage of them, using the password as ‘proof’ of the breach.
Hackers for hire
While Gnosticplayers appears to be promoting the compromised data for sale, hackers may also turn to the media in attempt to promote themselves.
In that regard, notoriety is hugely important. Claiming an attack against a large organisation could prove far more lucrative than selling the data on should they attract the attention of those looking to carry out cyberattacks against a particular organisation.
“There are a number of reasons why hackers hack, and… one of them is self-publicity,” Guy Bunker, chief technology officer for IT security company Clearswift, told Verdict. “While in the old days it was about defacing websites and then showing it could be done, these days it is about being able to show off technological prowess and then ‘selling it to the highest bidder.”
While the dark web might be associated with the criminal underworld, legitimate actors also frequent the hacker-for-hire market, according to Sam Curry, chief security officer at Cybereason.
“It’s not just governments turning to cyber for a quick fix or new options, it’s also the private sector,” Curry told Verdict. “Sometimes they [hackers] are employed by competitors or activists to embarrass and expose victims.”
It is unclear how common this practice is in the business world. However, a past study conducted by cybersecurity firm Kaspersky found that 40% of businesses hit by a distributed denial of service (DDoS) attack believed that their competitors were behind it. A DDoS attack involves flooding a web server with traffic in order to use up its bandwidth, which stops legitimate users from connecting to the server.
However, hacking attempts launched against businesses have the potential to be far more costly than some downtime. Under the European Union’s General Data Protection Regulation (GDPR), businesses can be fined up to €20m or 4% of global annual turnover for failing to protect user data.
“These days, with GDPR, there is the potential for a significant fine to be levied because of the breach – highlighting it will bring it to the attention of the media and the regulatory authorities, and with that the investigations, allegations and fines,” Bunker said.
Controlling the narrative
Hacking isn’t always about financial gain. Referred to as hacktivism, many times breaches are carried out for socially or politically motivated reasons.
Anonymous is the most widely known hacktivist group, having launched attacks on targets including the Islamic State, the Westboro Baptist Church and businesses such as PayPal and Sony, while groups like Lizard Squad and LulzSec have also attracted attention in recent years.
According to Alashe, contacting the media means that the hacker “takes control of the narrative”, allowing hacktivists to share their reasons for carrying out an attack.
Regarding Gnosticplayers, the hacker has previously alluded to poor security and data handling as a possible motive for his attacks.
“I got upset because I feel no one is learning,” the hacker previously told ZDNet. “I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.”
Then there is also the reputation that it brings in the hacker community. For many, financial gain is “just the bonus that comes with the territory”, Alashe explained.
Gnosticplayers’ willingness to talk to the media, while somewhat unusual, has undoubtedly made him one of the publicly well-known hackers operating at the moment.
“Scores are kept by what other hackers think of your skill and the reputation of the companies you’ve been able to break into, and not necessarily how much money you’ve made,” Alashe said.
“Criminal behaviour, whether online or offline, is still criminal”
Hacktivists may have their reasons for carrying out an attack, but Curry emphasised that, regardless of motive, hacking is still a crime.
“Criminal behaviour, whether online or offline, is still criminal plain and simple,” Curry told Verdict. “We should focus on the hacker of Canva and finding them rather than guessing at motive.”
Canva has confirmed that it is working with cybersecurity experts and organisations such as the FBI in the wake of the breach, as the hunt for the culprit believed to be behind hacks on companies like UnderArmor, MyHeritage, Mindjolt and GameSalad continues.