Russian streaming platform confirms data breach affecting 7.5M users

Russian media streaming platform ‘START’ (start.ru) has confirmed rumors of a data breach impacting millions of users.

The platform’s administrators shared that network intruders managed to steal a 2021 database from its systems and are now distributing samples online.

The stolen database contains email addresses, phone numbers, and usernames. START characterizes it as uninteresting to most cybercriminals as it can’t be used for taking over accounts.

Financial information, bank card data, browsing history, or user passwords have not been impacted because these details were not present in the database.

“We have already fixed the vulnerability, and access to our data is closed,” mentions the statement on Telegram.

Even though a global reset isn’t enforced by START, it is recommended that all users change their passwords.

At least 7.5 million users impacted

The rumors about a data breach impacting START first appeared on Sunday, August 28, when a 72GB MongoDB JSON dump containing information of almost 44 million users started to be distributed over a social network.

Many of these entries concern test accounts. However, the dump contains 7,455,926 unique email addresses, which is likely close to the real number of exposed users.

The records date as recently as on September 22, 2021, so this incident doesn’t impact users who registered with the service after that date.

Russian news outlet Medusa reports having tested random entries from the leaked database on START’s password recovery tool, and all logins turned out to be valid.

One discrepancy between START’s statement and the leaked dump is that the latter contains md5crypt-hashed passwords, IP addresses, login logs, and subscription details, which have not been included in the official statement from the platform.

Russia to tighten data leak rules

Due to the increased cyber-offensive activity against Russian online platforms, the Moscow is implementing methods to defend user data from unauthorized access and to protect its citizens from exposure.

Last week, Kommersant reported that the Ministry of Digital Development is promoting a plan to create a register of “unacceptable IT security practices,” to help raise awareness among organization leaders.

Earlier this month, the same ministry proposed establishing a fund that would be used to compensate victims of database leaks. The fund would be backed by fines imposed on the entities responsible for the security breaches.

The presented draft law suggests a fine of 3% of the breached company’s annual turnover to introduce an incentive for firms to develop and apply sound security practices.