Data could have also originated from Regpack

Sep 14, 2016 23:20 GMT  ·  By

Roughly 324,000 payment card details for over 105,000 users were leaked in July 2016 by a hacker going by the name of 0x2Taylor.

According to an analysis by Have I Been Pwned owner Troy Hunt, the data appears to belong to Bluesnap, a payments processing service.

Hunt says that several Have I Been Pwned users have confirmed that the breach contains accurate personal details, including the ones relating to payment card information.

According to Hunt, the data contains browser user agent details, IP addresses, credit card CVVs, partial credit card data, email addresses, names, phone numbers, physical addresses, and a list of purchases and financial transactions. Hunt says the data spans from March 10, 2014, to May 20, 2016.

It's Regpack...

Unlike similar breaches, attribution was not easy, and Hunt himself points out that, based on hints he received from his site's users, it's also likely that the payment card data originated from a security breach at one of Bluesnap's customers, Regpack, an online events registration system.

Hunt says that he and several reporters contacted the two companies, but none of them wanted to take credit for the breach.

Hunt's arguments are that BlueSnap didn't want to acknowledge the breach because it is still possible it didn't happen there, while Regpack didn't want to acknowledge the incident because they're were only supposed to redirect payment details to Bluesnap, and not store them on their servers.

Even worse, it appears that whoever is guilty of this breach is also in line for a serious fine, because they also stored payment card security code details (CVV or CVV2), an action prohibited by financial authorities and credit card companies. As such, you can see why none of the companies is willing to raise its hand and say "My bad!"

Oh no wait, it's BlueSnap...

Nevertheless, BlueSnap's name shouldn't be removed from the discussion. While a vast majority of Have I Been Pwned users who confirmed their details said they still had invoices from Regpack, a clear link they interacted with the service, the data also contained user financial details from other services besides Regpack, also BlueSnap customers.

All these companies are based, or doing business, in Israel. BlueSnap started its life as an Israeli startup named Plimus in 2001 but was acquired and rebranded as BlueSnap in the same year. Regpack became a BlueSnap customer in 2013.

For the moment, Hunt attributes the breach to BlueSnap only based on 0x2Taylor's tweet.

UPDATE: A BlueSnap represenative has informed Troy Hunt that Regpack has acknowledged as being the source of the leak. The full statement is below.

BlueSnap Full Statement

Photo Gallery (2 Images)

BlueSnap refusesto acknowledge security breach
0x2Taylor's tweet announcing the BlueSnap data breach
Open gallery