A couple of days ago, members of Inj3ct0r Team – owners of the famous exploit marketplace – have breached the systems of ExploitHub, a rival website. At the time, they claimed that they had managed to steal $242,333 (189,000 EUR) worth of private exploits.
“We hacked exploithub.com because the people who publish private exploits on exploithub.com need know that the ExploitHub admins are lamers and cannot provide them with adequate security,” Inj3ct0r Team said back then.
On the other hand, while they admit that their systems have been breached, ExploitHub representatives claim that no exploits have been stolen.
“After our initial investigation we have determined that the web application server itself was compromised and access to the database on that server was available to the attacker. The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part,” they said.
“The database on that server however only contains information used by the web application itself as well as product information such as exploit name, price, and Author, but does not contain any actual product data such as exploit code.”
The investigation is ongoing, but ExploitHub administrators claim that the valuable data is stored in another location and there’s no evidence that Inj3ct0r has managed to compromise it.
Furthermore, they highlight the fact that the information published by Inj3ct0r is actually freely available and it can be accessed by anyone via the web application’s search and browse functions.
“Current assessment of the attack indicates that the impact was limited to compromise of data from only the web application server which does not house exploit code or other product data. Again, there is currently no evidence that the exploits or other products themselves have been compromised or stolen,” they concluded their statement.