Carders capitalize on Cloudflare problems, claim 150 million logins for sale

A carder forum is advertising a special deal to VIP members. The website claims to possess more than 150 million logins, from a number of services including Netflix and Uber. The source of this data collection are the accounts exposed due to a recent problem on Cloudflare’s infrastructure.

CloudBleed is the name given to a flaw created by a faulty HTML parser chain that’s responsible for dumping sensitive information from a number of Cloudflare customers across the web.

The flaw was accidentally discovered last week by Google researcher Tavis Ormandy. The incident impacted several large brands, including Uber, OKCupid, and Fitbit.

However, a Canadian researcher compiled a larger list on GitHub, which includes a number of possible affected websites – such as 23andMe, Coinbase, Patreon, Yelp, Fiverr, and Change.org. The full list contains more than 4 million domains.

Update: 23andMe sent over the following earlier this morning: “We were notified by CloudFlare that our website was not affected, which is consistent with our internal investigation thus far. We will continue to investigate and update our customers accordingly.”

Salted Hash covered the story on Thursday evening, as well as updated it on Friday, but even with all the coverage and a detailed explanation by Cloudflare, the full scope of the incident isn’t exactly clear.

According to Cloudflare, the impact includes “HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.” It’s the ‘other sensitive data‘ part that has people guessing.

On Friday evening, or early Saturday morning depending on where one is in the world, someone emailed Salted Hash a screenshot of a carder forum operating in the open. The image below was collected by us and cropped.

The forum, CVV2Finder, boasts a large collection of compromised cards and accounts, but it was the latest news post on the website that caught our tipster’s eye.

The message is as follows (with no editing or alterations):

“Dear DeepWeb Users of cvv2finder, After the success of the latest attack (cloudbleed) to cloudflare servers, More than 150 Million Fresh Logins Avaliable for Uber , Netflix … and many more. After hours these data will be avaliable into a database and would sell it for 250k$. This offer only for VIP users.”

If true, that would mean the impact of CloudBleed was much larger than first expected, and it shines some light on the data that’s been exposed. This could be really bad, not just for Cloudflare, but for anyone who uses a website maintained by one of their customers.

However, Netflix isn’t a CloudFlare customer – they are their own CDN, so their inclusion in the list of offered accounts is suspect. Also, the post hinges on ‘many more‘, without naming any company that wasn’t previously disclosed by Mr. Ormandy.

CVV2Finder lists Netflix, Dominos, several “People Meet” dating websites, Tidal, CBS, Bitdefender, Origin, Dell, UPS, HBO Now, Spotify, and DirecTV accounts in their database as available to purchase. However, there are only 2,300 accounts, a far cry from the 150 million they are promising.

Again, if the offer is legit, that’s bad news for a lot of people and several big brands. But from the looks of things, this is likely a hoax, or a website boasting in order to get more users.

We’ll update this article if there is more information.