"New" NUC contains MySQL database with thousands of credit cards (RESOLVED)

dualcore on 25/12/2023 - 22:45
Last edited 29/12/2023 - 12:14 by 1 other user

I purchased a "new" NUC from one of the business sellers on eBay that resell a lot of fleet hardware. While everything appeared to be packaged well, with plastic film still on and power unit still shrink wrapped, to my surprise it booted into Linux with a variety of files on the desktop.

A cursory attempt to find the prior owner of this NUC (in an attempt to notify them) instead led to finding a "billing-25-Aug-2023.sql.gz" file. Opening it in a text editor, I see what appears to be thousands of full names, full credit card numbers, expiry dates, and CVCs. None of the tables were named descriptively, so I can't ascertain what company, service, or provider this is.

What would be the appropriate next step here? Should I drop it off at my local police station, contact the seller, or someone else?

Police force has taken custody of the data. See Update: https://www.ozbargain.com.au/comment/14770073/redir

Computing

Comments

  • MS Paint on 25/12/2023 - 22:51
    +23

    sudo mkfs -t ext4 /dev/sdb

    Then just move on.

    • acoma on 26/12/2023 - 11:18
      -1

      No way. Use XFS.

    • pegaxs on 26/12/2023 - 16:53
      +3

      Hehehe… reminds me of…

      ~$ make toast
      make: *** No rule to make target 'toast'. Stop.
      ~$ sudo make toast
      ok

      And yeah, I wouldn't be playing around with/in someone else's operating system. If they are keeping this kind of data, there is no doubt that they could also have trojans set up for the next user…

  • John Kimble on 25/12/2023 - 22:57
    +12

    Sell on Dark Web?

    /s

    Seller first, then below if no joy (if it was me).

    https://www.oaic.gov.au/privacy/notifiable-data-breaches/rep…

    • freefall101 on 25/12/2023 - 23:46
      +53

      I'd go to OAIC first rather than the seller. There's obviously someone with some god awful security going on and if that is one day of data having thousands of credit card numbers then it's a huge leak.

      Then file a paypal claim for a refund because the system wasn't new as described and can't be returned because it has been shipped off to OAIC.

      • TightLikeThisx on 29/12/2023 - 20:38

        It could just be test data.

        • LukeS on 31/12/2023 - 07:45

          True. But until proven otherwise, it should be presumed to be legit.

  • scrimshaw on 25/12/2023 - 22:59
    +27

    Intel NUC's are usually barebones machines that do not come with any storage or RAM, so what might have happened here is the NUC was fitted with a solid state drive that was harvested from another used machine. And whoever sold those parts to that ebay seller may have forgotten to securely erase it.

    The only person who knew where that SSD came from would be whoever harvested those used parts and assembled your NUC…

    Also maybe look at SMART data and see how long that drive has been used for. Not sure if SSD's log power-on hours.

    • peteru on 27/12/2023 - 00:02
      +3

      Not sure if SSD's log power-on hours.

      They do. You should be able to get not only power on hours, but also the number of power cycles and amount of data read and written. Most will also have a record of min/max temperatures, so you can see if the drive was previously overheating.

      Try smartctl -x /dev/nvme0 to get the juicy details.

      My Linux systems will typically run about 2x~4x as much written data as read. Clearly that depends on the usage, but don't be surprised if you see significantly more writes than reads.

      A "new" SSD installed in a system should not have more total written data than about 20%-50% of it's nominal capacity, even if someone claims that they have done QA testing prior to shipping. (However, I think it's clear that the seller is well into the dodgy territory that this isn't much of a relevant metric in this case. 😠 )

  • Ozbar Gain on 25/12/2023 - 23:14
    +4

    The right thing to do is report to police but that is also the inconvenient thing because your pc might be confiscated

    • schquid on 26/12/2023 - 11:42
      +15

      Local police DGAF about anything security related unfortunately. OAIC might care if the scale is large enough with clear pointers to culprits, the AFP might give it 5 minutes if you can directly connect it to crime.

      • Hansi on 27/12/2023 - 22:35

        This one knows!

  • Ozbar Gain on 25/12/2023 - 23:15
    +1

    Are there addresses or can you identify if it's Australians?

  • elgrande on 25/12/2023 - 23:17
    +9

    Merry christmas

  • Sye on 25/12/2023 - 23:17
    +20

    Go on a shopping spree.

    /$

  • USER DC on 25/12/2023 - 23:43
    -1

    i once bought a laptop and it like came with some sort of fine.pdf also haha, some infrignment notice of seller in that.

    I'd just delete that crap OS/ or reset it and forget about it

  • McOzbargainer on 26/12/2023 - 07:54
    +1

    sudo dd if=/dev/zero of=/dev/sda

    • peteru on 27/12/2023 - 00:07

      Newb! 😜

      That's just wearing down the SSD without much benefit and a long wait. You want to use secure erase on the media. On most drives it's quicker and doesn't use up any erase cycles as it just changes the internal drive encryption key, thus turning all existing data into a random stream of bits.

      • OpayuOnam on 28/12/2023 - 06:16
        +6

        Good advice, but perhaps better is to give them the right commands:

        1. SATA SSD:

        "Linux Boot:
        fdisk -l
        hdparm -I /dev/sdX

        If FROZEN:
        echo -n mem > /sys/power/state
        hdparm -I /dev/sdX

        hdparm —user-master u —security-set-pass p /dev/sdX
        hdparm —user-master u —security-erase-enhanced p /dev/sda
        IF enhanced not supported:
        hdparm —user-master u —security-erase p /dev/sda

        Wait at least the estimated amount of time from hdparm

        hdparm -I /dev/sda
        Pass and Security level should be back to normal

        dd if=/dev/sda bs=100M count=5
        Check to make sure dd returns nothing, sometimes it can be randomised…"

        2. NVMe

        "Linux Boot with nvme-cli:
        nvme list
        nvme format -s1 /dev/nvme0n1

        If throws an ""invalid lbaf:255"" error, use:
        nvme format -s1 -lb=0"

        3. SD Card, this may completely destroy cheap SD Cards:

        "blkdiscard -s -v /dev/mmcblk"

    • OpayuOnam on 28/12/2023 - 06:22
      +1

      In addition to what @petersu has said about wearing the SSD, by design, this may not fully erase the drive even, and data can still be recovered from resevere sections of flash (special tools needed).

      The only way to fully erase flash drive is what I've written below for each type of flash.

  • BatsRule on 26/12/2023 - 09:36
    +1

    Hand the drive to the feds or call police link to get info on the department that would be interested in this issue.

    • illusion99 on 27/12/2023 - 12:00
      +2

      lol you watch too much American TV. Nobody calls it “the feds” in Australia.

      • BatsRule on 28/12/2023 - 06:51
        +2

        we dont have federal police?

        • illusion99 on 28/12/2023 - 07:34
          -8

          Yes but it’s called AFP not the feds. Lawyers also don’t yell out “objection” or say “permission to approach the bench” in court cases either in Australia.

          • BatsRule on 28/12/2023 - 08:56
            +4

            @illusion99: So what does AFP mean? 🙄
            When we went to the Australian federal police office at the airport, ppl said, "take the paperwork to the feds office" or "deliver the dog to the feds shelter "

            So your complaint is that i have to write out Australian federal police..? And what's the rest got to do with anything?

            Damn, I've got to remember, when replying to forums, that this person could be sitting in a mental institution with access to the internet.

              • BatsRule on 28/12/2023 - 09:27
                +7

                @illusion99: Nup.
                You didn't disagree with me. You tried to make me look like a fool and added to a discussion that doesn't need yor useless comment.

  • BeamMeUp on 26/12/2023 - 10:46
    +13

    Sorry but wt..f…Somebody needs to held to account here. What about all those card owners they have exposed, what else have they left on other machines. Maybe they got them off the Dark Web and were up to some shady stuff. Report it.

  • jizmo on 26/12/2023 - 11:23
    +2

    Next step?
    Get a little table lamp and a black hoodie, print the file off and turn it into wallpaper.
    Enjoy!

  • schquid on 26/12/2023 - 12:13
    +10

    Likely too late for this, but disconnect any network connections and re-mount all partitions as RO to avoid write operations contaminating it, particularly log rotation.
    If they were this slack you might be able to find some hints as to origins in their shell history. Try a wander through .bash_history, or whatever is relevant for the shell in use, in each home directory and you might find hostnames, IPs or other identifying traces. Otherwise a few other good places are:
    * SSH config and known hosts
    * anything in /var/log
    * MySQL replication config
    * (S)FTP config/history
    * Env vars
    * Grep for domain/IP patterns in home directories or just root if you have time to burn

    Might be able to get some hints by taking the first 6 characters from all credit cards (BIN), uniq and see if they're overwhelmingly from a single issuer via a BIN lookup tool. If they're all from a single bank you might have better luck with the OAIC and the bank's security team.

    OAIC might care if you do the legwork for them, otherwise you'd be better off finding a security researcher who can connect the dots.

    • John Kimble on 26/12/2023 - 12:34
      +1

      If they're all from a single bank

      Unlikely if it's a merchant billing file

  • 2esc on 26/12/2023 - 13:03

    Just contact police or/and oaic not the seller until after advice from police or oaic in case they need to question the seller. Contact paypal for refund.

  • chorong on 26/12/2023 - 13:09
    +5

    I’ve had some guidance before by dropping a message to Troy Hunt + some other security researchers on what to do before.

    Otherwise, set up a protonmail / throwaway email and bcc some of the emails in the sql dump and see if you get anything back. That’s also worked for me to confirm a data breach I found was real

  • dualcore on 26/12/2023 - 23:49
    +134

    So I went to my local police station earlier today. To my surprise they took it extremely seriously and competently and I had a nice chat to someone from the forensics unit. They took the SSD but allowed me to keep the NUC after taking some photos, and thanked me for bringing it in.

    • peteru on 27/12/2023 - 00:09
      +15

      You legend!

    • lachhelix on 27/12/2023 - 02:34
      +10

      took it extremely seriously

      That's incredibly surprising!

    • ddilrat on 27/12/2023 - 07:47
      +1

      Please keep us informed if they give you any info about what they find. They probably won't though

    • Sinnerator on 27/12/2023 - 08:44
      -3

      you forgot the
      /s

      <but well done for the effort>

    • superuser on 27/12/2023 - 10:10
      +10

      you've copied the file right?

    • MrThing on 27/12/2023 - 13:35
      +19

      Evidence was lost, but all the coppers have new iPhones

    • fullmetal on 27/12/2023 - 14:17

      Will you get your SSD back?

    • USER DC on 27/12/2023 - 17:43

      They took the SSD but allowed me to keep the NUC after taking some photos, and thanked me for bringing it in.

      I wont be happy if that was me, ssd and storage was yours may be they analyse and give you the ssd back

      • BatsRule on 28/12/2023 - 07:00
        +1

        It's evidence and voluntary handed in.

    • BatsRule on 28/12/2023 - 07:05
      +2

      Nice. 👍 Oh and re my previous comment above that was neg. The "feds" will probably take over, depending on the outcome from a Forensics officer.

  • DiscoJango on 27/12/2023 - 09:41

    Good job op.

    Also a reminder to most people that you can completely lock down your credit card via your banks app and set a purchase limit, so if your details somehow do get leaked, they wont be able to use your cc.

  • Poor Ass on 27/12/2023 - 10:22
    +4

    Screenshot or it never happened

  • RSmith on 27/12/2023 - 14:44
    +2

    Is storing credit card data not the breach of PCI DSS compliance? This is in reference to the business who had it MySQL database.

    • gromit on 27/12/2023 - 17:35
      +5

      So many breaches here it is hard to count, data is unencrypted/unprotected, storing CVV, data sitting on desktop drive, hardware not being correctly wiped post use etc etc.

      • RSmith on 27/12/2023 - 17:48

        Makes me wonder that the company is still same strategy for storing the data on a newer set of hardware.

        If the OP knows the company name and can it be reported to the relevant authorities.

      • Minimum chips on 27/12/2023 - 21:42
        +3

        This is some Optus-level incompetence.

        • ribze1 on 28/12/2023 - 21:01
          +3

          ebay account name: g.berejiklian

          • LukeS on 31/12/2023 - 07:51

            @ribze1: Or

            k.bayer.rosmarin

            Selling off stuff to make ends meet since she's out of the job now.

    • Franc-T on 27/12/2023 - 17:45

      Absolutely it is

  • SpicyStew on 27/12/2023 - 15:40

    how is it "new"?

  • mrvaluepack on 27/12/2023 - 17:51

    Wow thats terrible, its hard to believe something like that would happen!! Send the file to me so that i can verify what you said is true.

  • darkly on 27/12/2023 - 19:23

    Incredible

  • Aerith-Waifu on 27/12/2023 - 21:58
    -2

    Are they valid credit card? If so, you just become millionaire! lol

  • pahuang on 27/12/2023 - 22:20
    +9

    WTF?! I used to work for a credit card company. You are not allowed to store cvc alongside with your credit card number and expiry. Not even encrypted. This can't be from any financial institution as they MUST follow PCI compliance or have their licence revoked. For small business though… the ones that will charge you over the phone… well…

    • AustriaBargain on 27/12/2023 - 23:02
      +4

      Maybe the details were stolen in the first place and the criminal used this NUS to store them. Or an IT student studying databases generated fake details for an assignment.

      • spal on 29/12/2023 - 13:59

        I think these are the most likely scenarios. I wouldn't have thought about being random fake data for IT student's use.

      • LukeS on 31/12/2023 - 07:52

        A crook with that kind of OpSec would be locked up pretty quickly.

    • noz on 28/12/2023 - 00:13

      What about companies that store your card to auto-bill you monthly. Does that not need the CVC to be stored, or am I misunderstanding?

  • anxiousdevices on 28/12/2023 - 08:20

    Return the whole thing. You do not want to have a computer in your home that could have been part of a crime network.
    You purchased a "new" item, and that is what you should get.

    The extra effort to return and wait for the new one is a minor inconvenience, compared to any future issues where your computer gets identified to be part of some dodgy activities.

  • [Deactivated] on 28/12/2023 - 10:35
    +1

    https://www.oaic.gov.au/privacy/privacy-complaints

  • Sammy Boi on 28/12/2023 - 10:45
    -1

    Yeah I wouldn't take that to a police station I saw someone recommend that hell no. There must be a government body or somebody that can be contacted but good on you for doing the right thing and asking for advice on something that could be super sketchy

  • ripesashimi on 28/12/2023 - 12:41
    -2

    How can a local cop station even have the resource to investigate a database that is not clearly linked with anything?

    • gromit on 28/12/2023 - 13:07
      +1

      might shock you to discover but each police station isn't a stand alone entity with no connection to the rest of city/state/federal police and just because they take it and collect the details doesn't mean they will be the ones to investigate it.

    • scrimshaw on 28/12/2023 - 14:24

      Digital Forensics is a core part of the AFP

      https://careers.afp.gov.au/job/Canberra-Data-Scientist-ACT/9…

      DF CERET is a growing team who use forensic, legal technology and data analysis to manage, analyse, review and gain critical insights into large volumes of Electronically Stored Information (ESI) in support of AFP investigations. We have a team of high-performing talented people who are passionate about what they do.

      The successful candidate(s) will be working alongside Data Analysts, DF Examiners and other DF specialists. Initially you will be assisting with the preparation, enrichment, automation and delivery of ESI material to multiple stakeholders including investigators, lawyers and partner agencies through Forensic and Legal Technology software. Successful applicant(s) will also contribute to the development of advanced data techniques and design, including predictive coding.

      I assume That drive will be sent to whatever department has the capacity to investigate it.

  • yewman on 28/12/2023 - 15:13

    Take the law into your own hands and become SQLman to dispense some vigilante superhero justice to IT workers who don't properly wipe drives.

  • quanticism on 28/12/2023 - 17:00
    +2

    Query for your own CC details to see if you've been compromised.

  • imurgod on 29/12/2023 - 09:44

    Report it. There are laws surrounding this now.

    Don't implicate yourself in a crime.

    • spal on 29/12/2023 - 14:00
      +1

      OP has reported it. There is comment further up and linked in the original post too.

Login or Join to leave a comment
Login Join