After report: Further data leaks found at Lübeck IT company

On Monday, NDR reported on an IT company from Lübeck that experienced a ransomware attack last year when the crime statistics for 2024 were published by the State Criminal Police Office of Schleswig-Holstein. The report led to head-shaking in the IT scene. In its blog, fefe expressed its incomprehension at the NDR's account. Several security problems and data leaks at the company continue to exist, investigations revealed on Monday evening.

The company Melting Mind received an email from the BSI in April 2024 stating that “there may have been a data leak at our company in the recent past” – as can still be read on the company's website.

On the darknet, the APT73 group reported a break-in on the servers and threatened to sell the data. The owner of the company reported on NDR that a ransom demand of 50,000 euros in Bitcoin was on the table. He had negotiated an installment payment with the blackmailers, paid 3,000 euros and then informed his customers that they should back up their data. The report does not go into the fact that the money and customer data were lost in the end.

This is because the data was nevertheless published in a ZIP package on the darknet on the blackmailers' leak site.

Vulnerability search engine continues to find data leaks

An anonymous source pointed us to the vulnerability search engine Leakix, which is similar to the well-known search engine Shodan. It is still delivering a comprehensive list of hits for melting-mind.de today, Tuesday. It searches the freely accessible web for system files such as .DS_Store files on web servers.

macOS creates metadata for directories in .DS_Store files, including directory structures. If employees are not sufficiently attentive, these then also end up on the web server – which is indeed often the case. They are freely accessible there and provide insights into the directories and files on the server.

This is how .git folders were found, for example. This means that the entire source code of the website can be downloaded from the freely accessible repositories – located in the web root, even without activated directory listings on the web server, as git generally generates predictable URLs –. This contains plain text access data to databases, for example. But also, for example, indications that the passwords are hashed with a salt, but only MD5.

Finally, an SQL database is accessible with access data freely available on the Melting Mind website. It contains around 17,000 customer records with more than 3,000 bank details. It is still accessible on the Melting Mind systems at the time of reporting. This appears to have been the case for some time: according to the data from the Leakix website, some information worthy of protection has been freely available online since 2022.

Please also read:

Topic page on cybercrime on heise online

Fabian Schmidt from Melting Mind responded to our inquiry: “We are currently investigating the scope and are also looking into the source of the problem. Of course, we will immediately protect this data from access.” The company will report this to the relevant authorities within the legal deadlines. “We assume that we will have dealt with most of the challenges today, at least temporarily.”

The State Data Protection Commissioner of Schleswig-Holstein, Dr. h.c. Marit Hansen, has not yet been able to respond to our questions.

(dmk)