A hacker identifying themselves as "John Wick" and "Korean Hackers" claim to have breached the systems for Indian video on demand giant ZEE5 and are threatening to sell the database on criminal markets.
Earlier this year, a paste floating on the web exposed credentials of some 1,023 Premium ZEE5 accounts. After reporting these accounts to ZEE5, they were quick to respond, but we are not aware of notifications sent to affected accounts.
In an email threat sent to Tagade, editors of major Indian newspapers, and employees of ZEE5, a hacker claiming to be "Korean Hackers" warned that they have breached Zee5.com and stolen a database with sensitive information.
They then threaten that they "will expose your database & code in public for open sale soon."
The hacker(s) going by the name of "John wick" further list what all they’d be revealing: "data, recent transactions, passwords, emails, mobile numbers, email id, messages, etc…"
A point to note here: the term "email id" used in the thread is used mainly in the Indian subcontinent to refer to an email address.
In emails with BleepingComputer, the hackers state that they mostly "help these people to fix the bugs" and request Ethereum for their help.
"We are security experts from Korea, We will find bugs and report to the clients if they do not respond we try to make money, We have hacked more 50 Big websites we never sold anything," the threat actors told BleepingComputer.
The threat actors have stated that they are in conversations with ZEE5 and are asking for a minimum of a 10 Ethereum "donation"for their help.
As for the threat actors, whether or not they are from Korea cannot be confirmed.
As they are using the Tutanota email service, which provides private and encrypted mailboxes and a webmail interface, there’s no reliable way to trace the email back.
The firstname.lastname@example.org email used by the hackers was previously seen in defaced sites claiming to have been done by "Korean Hackers."
When the hackers contacted Tagade, they stated that they downloaded 150GB of "private data" from Zee5.com, including the site's source code, and plan on selling it soon.
As part of the proof given to Tagade, they shared images of a repository on bitbucket.org containing the stolen information.
The URL for the Bitbucket repository is "restricted" to the public and prompts you to log in.
To make matters worse, these hackers have posted partial data from the compromised database, secret keys present in the live source code, references to their Atlassian board, and AWS bucket credentials. They claim to have access to user data from almost every Indian state.
The leaked records contain private information on the subscribers including recent transaction data, email addresses, mobile phone numbers, passwords, etc. and multiple screenshots shared by the hackers verify proof-of-access to such records:
Below you can see a picture of the alleged source code for Zee5.com that the hackers claim they have stolen.
One of the screenshots, shown below, also has "dish-tv" network drive on the list, which is noteworthy as Essel Group, who owns ZEE, also owns the satellite TV company, Dish TV.
Could this mean the hackers also had access to Dish TV customer information?
There’s also the "dittotv-databases-backup" folder. DittoTV was the former video-on-demand arm of the service.
Further investigation is in progress, and at this time, ZEE5 has not replied to Tagade or us for comment.
In a statement shared with IANS, Tushar Vohra, Head Technology at ZEE5 India has acknowledged seeing some reports of data breach:
"We are investigating it further. We are also cognizant of the fact that the OTT sector has exploded in the past few years, so has hackers' interest in it. Especially post COVID-19 outbreak, data hacks have been on a steady rise. It is a shallow attempt to gain vested interests," Vohra explained.
"ZEE5’s backend is built with state of the art technology which is robust and strong, and we will continue to invest aggressively in technology, partnering with some of the leaders in security measures including Akamai, AWS (Amazon Web Services) to safeguard users'' data and to ensure it is never compromised," he added.
Under Indian law, while a Personal Data Protection Bill 2019 was introduced, it is still under analysis and not been fully legislated. There’s no mention of fines or penalties in the bill either.
Lack of sufficient data protection legislation and privacy laws in India may very well allow big corporations to suffer data breaches and not report them without risk of fines.
This is a developing story. Please check back for more updates.
Update 6/7/20: Added statement from Tushar Vohra, Head Technology at ZEE5 India.