Information about Beeline employees leaked to the network

The data of almost all Beeline employees, including corporate email addresses, mobile and home phone numbers, coded full names, etc., were made public. The Telegram channel “Information Leaks” was the first to report this. A Beeline representative confirmed the leak.

Hackers uploaded four LDIF files (a catalog in text format. – Vedomosti) to an anonymous Telegram channel with data from internal users of Beeline systems in the Moscow, South, Urals and Central regions, writes Information Leaks. Vedomosti’s source in a company in the cybersecurity market clarified that it was about the NLB Telegram channel. The data files were made publicly available on December 1 at 4:20 pm, Ashot Hovhannisyan, the author of the Information Leaks Telegram channel and the founder of the DLBI data leak intelligence and darknet monitoring service, clarifies.

The files contain almost 200,000 unique logins in the vimpelcom.ru domain, almost 100,000 home and mobile phones, 67,000 corporate e-mail addresses, as well as a Base64-encoded full name and other service information, the post says. It is easy to decode the full name from the merged database using any available online decoder, Luka Safonov, technical director of JSC Sinklit, clarifies. According to him, the database also contains information about the department in which the employee works.

“Our customer data is safe. We confirm the information about the access to open access of data from the corporate directory, which is available to every Beeline employee, ”the Beeline representative said in the comments to Vedomosti. An investigation is underway to determine the cause of the incident, he added.

Vedomosti sent a request to Roskomnadzor.

Telecom operators leak data often and in large chunks, as among all companies leading a digital business, they differ in the “most frivolous” approach to information security, says Oganesyan. This is not the first data leak in the Beeline infrastructure, he recalls. In September 2021, about 1.5 million unique records with the data of the operator’s home Internet customers were publicly available. The company then sent a statement to law enforcement agencies, the source of Vedomosti reported in Beeline. “Some part of our infrastructure turned out to be available and not protected from the outside. A number of systemic errors were made,” he explained.

With a high probability, we can say that the data of the majority of Beeline employees in Russia got into the public domain and this is a major leak for the company, says Oganesyan. Safonov agrees with him, according to whom this leak can be compared with the leaks of almost all the data of Sberbank employees and Russian Railways in 2018 and 2019 respectively.

The hacker who posted the data of Beeline employees is already known for publishing leaks from large Russian companies, Oganesyan continues. According to him, it was he who published the bases of participants in the loyalty program Tele2, Russian Post, GeekBrains, Delivery Club, tutu.ru, etc. Most likely, he specializes in attacks on IT-specialist jobs, as well as git-repositories of developers and in this case, got access to an employee account with access to LDAP (Lightweight Directory Access Protocol) servers, a kind of “phone book” of an organization with rights, full name, contacts and hierarchy. – Vedomosti), backup copies or a test environment (“sandbox ”), from where he uploaded the data, Hovhannisyan believes. Safonov admits that the data could be uploaded by an employee of Beeline itself.

The problem of access to LDAP directories is known, regulators have already paid attention to this vulnerability in their recommendations, and this is a call for the company’s security service, says Andrei Kurilo, FBK Information Security Advisor and FBK CyberSecurity. The stolen data, he said, could be used to prepare a larger social engineering attack, followed by the development of other vectors.

This database is most likely to be used in phishing and social attacks against company employees, since the leak contains all the necessary data, including not only names and contacts, but also a place in the organizational structure, manager data, etc., Oganesyan adds. Using this data, it is quite possible to get employees of the company to perform many dangerous actions, including providing access to internal infrastructure, he said.

If there are emails in the database, attackers will be able to conduct, for example, targeted phishing mailings, Vedomosti’s source in a company in the cybersecurity market warns. Also via Microsoft Exchange can be attacked with password spraying (Password spraying), he continues. In this case, the attacker tries to get a valid password by substituting common passwords for the email addresses he has. If he succeeds, then he can already upload a complete and 100% up-to-date database with data from company employees, the source explains.