180 Million Orders: The Dominos Breach and what you should learn from it

by | 27.05.2021 | Investigation

The Dominos leak got me excited, and in no time, my device had the tor browser installed. This post is a detailed walkthrough of the Dominos data breach. I will cover how I managed to connect through all the technicalities to the leaked database and find my and acquaintances’ data compromised.

This volume of data circulating is mind-blowing, with the details of the leak being negligible. Now evangelism is important, and I turn my broadcast speakers towards the global audience. Sharing is caring.

I would also instruct you how not to get f**ked over by these big companies 🙂 Cool story, let’s start!

What is the Dominos India Data Breach?

The questioned data had 180 million order details, names, emails, mobile numbers, GPS coordinates, etc., and is confirmed to be sold for 10 BTC (around 600k USD at the peak). Clearly, someone is making money from this breach, and someone is profiting by using the data.

Dominos Breach
The Listing for the Dominos Breach

The total size of the NoSQL database is around 13 TB and is available in the public domain through a simple search on the tor network. Now, a fun fact Dominos didn’t care to inform users about the breach till the data was found circulating on the dark web.

The data hosted on Amazon S3

Dominos Breach Directory Tree
Detailed view of the S3 bucket

Companies should have a moral responsibility to tackle and inform breaches and not care only about the bottom line. But who’s about to make them understand responsibilities? The bottom line is quite fun just to be focused on.

Dominos Breach Notice after 2+ Months
Dominos Breach Notice after 2+ Months

The Reality and Consequences

Customer data is quite important for any organization from a business point, and data trade is quite common. Now, you get the answer on how your email address is already bombarded by a few companies or people you never signed up for or shared it 🙂

The customer data and analytics sector is massive, and it is used to target every aspect of your life, from politics (such as Cambridge Analytica) to your purchases.

Dominos Breach stats and point of contact
Dominos Breach stats and point of contact

The customer analytics market is expected to increase at a compound annual growth rate (CAGR) of 18.2 percent during the forecast period, from USD 10.5 billion in 2020 to USD 24.2 billion by 2025.

Then what’s the issue with the leaks?

It’s good that we aren’t in dystopia, and companies only care about making more money from you and not harm you personally. Leaving out agencies pursuing non-violent criminal suspects (like U.S. Immigration and Customs Enforcement).

But the issues are severe when your ex gets hands on them. You had a good ex? Wow unique.

Then think about some random guy who got your email via your GitHub commit messages. Now the person can do a lookup and get your address, phone numbers. Trust me, I don’t want to give you a headache. But these companies are I am just telling you the truth 🙁

TRUTH is bitter but NECESSARY.

Aight mate, calm down and let’s provide you with solutions to take responsibility for your data and don’t rely on these companies. Just one more section. I want to share something cool.

A bit of Nerd stuff that I’m proud of

Skip this if you don’t like the cool stuff. I find messing with my terminal cool XD

Read through if you need some quite advanced stuff that helped me not to appear in one data breach yet 😉

Dark Web
Dark Web Source: webhostingsecretrevealed

Dark Web is where the data was hosted, and to access you need tor browser (easy to install), and you must throw in a VPN for advanced protection.

I’m not particularly eager to use VPN from a service provider. So, I thought to spin one OpenVPN server and use a client to connect with it. All said and done, I found my license wasn’t working with the open VPN server.

Azure Portal showing a running VM
Azure Portal showing a running a virtual machine

I discovered that the license is already used on a deallocated VM in my Azure subscription. Now spun the VM again and found the private keys in my download folder. Quite unexpected as I have 30/40 .ppk files lying around on my pc. Why .ppk and not .pem? I was on my windows.

.ppk and .pem are the encryption keys. Being an average user, you don’t need to understand them, and if you can, head to the let’s talk section and let us help you with your DevSecOps.

Anyways I SSHed into the system using putty and then found I forgot the password, the ports, and everything associated with the OpenVPN access server. To get a license, I needed to go into the admin portal to connect; I needed to do the same thing.

Now I am stuck in a terminal looking all around the files for some lead. I was so lost that I forgot encryption exists, and maybe the credentials I am looking for would look gibberish without decoding.

I am not sure how many times I used the command cat. Eventually, I thought to connect it to a GUI explorer and explore using GUI but no leads.

But I had the terminal with me—time for the cooler stuff.

For the username, I used whoami with a soft reset to my VPN server (using passwd username) and a new password on my clipboard for this user.

Password change on a Linux system by a CLI
Password change on a Linux system by a CLI

Clipboard? I promise I would write them on paper for the next time. No risks 😉

We are doing quite well now with the passwords until I forgot the port I have configured my OpenVPN admin portal. Now, what to do? Where to find that? No leads on the documentations.

Port scanners crossed my mind and used to go through all the port on the virtual machine 😎

Here comes the part where I realize that I don’t have any experience with the port scanners. I need to figure everything about them.

Google was my friend with benefits. I struck on the online tool, and Google got to know a bit more about me. A nice relationship.

Now being quite forgetful about the fact we have 65531 ports and not 100 of them, my online tool laughed at me 😀

Back to my azure portal, I created one ubuntu distro, SSHed, and then used Nmap to find all the open ports on my VPN server. Sometimes my windows 10 breaks my heart. Anyways, it was 943 (the default one). I didn’t try to think the default ports might be the case as I always configure things for more security, and this time, I missed it.

Nmap and it's results on the dynamic IP
Nmap and it’s results on the dynamic IP

Anyways moving forward, now I forget I configured my server to be on HTTPS and not HTTP. I never had an extension to do the force forwarding to HTTPS but today realized that an ‘S’ could be such a headache. I used HTTPS, and now I am in the admin portal. I also recommend you to use HTTPS everywhere extension for added security.

The story never ends here. I was trying to configure the client to access the server, but it failed quite well.

It seems that OpenVPN is quite attached to the initial IP address, and now we need to configure the new dynamic allocated address to the server so that everything is connected.

Why not use a static address?

I don’t use static because it is costly, and it would take months before I access my VPN again 😀

Don’t wanna pay that sweet OpEx (Operational Expenditure) to Azure 👉👈

After tickling around the portal, I found the setting ”Hostname or IP Address:” and then configured my server to accept connection as the address it hosted on and not some dead address.

OpenVPN server portal
OpenVPN server portal

So, yeah, this was quite interesting, and now my VPN server is rocking 😀 Time to march towards the search engine.

I never used Nmap before, but I won’t forget it after today as this was an awesome lab for me.

What do you think about learning by doing?

Search Engine and bobby traps

The portal was in front of me. I could see the search bar, and with few clicks, all your data is under my control.

The Search Engine
The Search Engine

Or should we click? IDK sounds risky to trigger responses from the search box, and I prefer to use the API. The API was quick to be located, and I found two of them.

Learn more about APIs here.

Event for the search Engine

The first API was for user stats and the second one was for data—both equally important.

Before my first search, the site went down, and I had to wait for a couple of hours, contact a couple of sources to get the latest link. Found a new one with working condition.

The stats

Stats API

You can see we had _______ searches and __ visits. So many people and bots, trying to gather every ‘byte’ they can.

OG Intel

Now, after getting the consent of a friend, I ran his number found good original stuff. From his coordinates, address, emails to order history.

Data API

Just imagine how much harm you can do to a person by disguising as a customer care representative from dominos with all this other history and personal information beside you. Social engineering at its peak. Thanks, Dominos.

Being in a relationship with my security

Now the things you are waiting for are here—the age-old question of how to be safe. I follow few practices, and this might be helpful. Let’s list them without any order of importance.

Two phone numbers

Try using your business number on most websites and keep your number to your important accounts like Demat or bank. You get what I say. Right?

Not one email

Same as the numbers, try using multiple emails to tackle one email id getting compromised. Modern mail clients are quite powerful to manage a lot of email id at once with no effort on your end. Google about this.

For E.g., I use one for communication, finances, random orders, risky sites…. The list goes on, and I don’t want the next hacker looking through my profiles to find how many email id I have. So sorry, not sorry. Figure your requirements on your own.

2FAs

These dominos leaks didn’t have your passwords, but some do. So, try using sign-in with google/ apple most of the time. It’s way safer, and don’t forget to add an authentication app like Authy, Google Authenticator, or Microsoft authenticator for more protection.

Two Factor Authentication

VPNs

A VPN connection might help, and if you are casually browsing, proxies can help you with your requirements. I prefer to use proxy as that is kind of faster.

Learn more about the difference here.

Alerts are your best friend

You can take action when you’re aware something is wrong. Haveibeenpwned helps you with this by sending you alerts when you’re pawned, and then you can retaliate and change or block cards/numbers to prevent misuse.

Final Thoughts

Data is important in the world of micro-targeting. You’re not safe from companies, but these steps would help you stay safe from the bad actors.

I hope you enjoyed the post and are ready to be safe. Recommending you a small Netflix series this weekend that would open your eyes to the data transfer behind the closed doors 😉

Update: The search engine has been taken down and you can’t look for the data. By the time it went down it had 50 thousand page views and 50 million searches.

Happy Exploring!

Join the Community

The DevOps Awareness Program

Subscribe to the newsletter

Join 100+ cloud native ethusiasts

#wearep3r

Join the community Slack

Discuss all things Kubernetes, DevOps and Cloud Native

More stories from our blog

Linkerd: Looming on Service Meshes

Linkerd: Looming on Service Meshes

Microservices and service meshes have become a staple of the industry as companies realize the full potential of creating an independent architecture that allows for easier scale up, agile development, resilience and streamlined deployment. Many of these applications...

What’s new in Flux v0.17.0?

What’s new in Flux v0.17.0?

Flux2 came with its new update a while ago, and it is sheer exciting for the users because it brought a lot of new features. It also made a lot of new enhancements and updates. We will take a look at the entire catalogue in this article. So, without further a due,...

What’s new in Portainer v2.7.0 BE?

What’s new in Portainer v2.7.0 BE?

A few days ago, Portainer Business Edition came up with their new update. It is quite a massive update with many new features, bug fixes, enhancements and much more. In this article, we will see all of those in a nutshell. Let's start What is Portainer? Portainer is...

DVC (Git For Data): A Complete Intro

DVC (Git For Data): A Complete Intro

As a data scientist or ML engineer, have you ever faced the inconvenience of experimenting with the model? When we train the model, the model file is generated. Now, if you want to experiment with some different parameters or data, generally people rename the existing...

Recap of the Cloud Native Meetup Saar #3

Recap of the Cloud Native Meetup Saar #3

We are looking back on a very successful third edition of our Cloud Native Meetup Saar #3! Togetherer with our co-host anynines, we enjoyed a fun afternoon filled with great speakers, intriguing topics and thoughtful conversations! We welcomed a total of three...

Portainer Ambassador Series ft. Fabian Peter

Portainer Ambassador Series ft. Fabian Peter

Portainer arranged a fun and informative discussion through a one-hour special named “Ambassador Series” on 1st July 2021. It was pretty amazing to see Savannah Peterson as the host and two other guests. One is our very own CEO of p3r.one, Fabian Peter and the other...

What’s new in Longhorn v1.2.0?

What’s new in Longhorn v1.2.0?

Longhorn came with their new update. It is full of surprises. We will peel off one by one to see all the latest updates, features, bug fixes and much more. This one is a much-awaited update, and we will see all of it in a moment. So, without further a due, let's...

Kubernetes Stateful Friend: What’s more to etcd?

Kubernetes Stateful Friend: What’s more to etcd?

The Kubernetes control plane consists of various components, and one of such components is etcd. Anyone starting to learn k8s come across it and memorizes quickly that it’s a key-value pair for Kubernetes with persistence store. But, what’s more to it? Why do we need...

What’s New in Flux 1.24.0?

What’s New in Flux 1.24.0?

Flux 1.24 is out this month with couple of updates and Important notices. Let’s get around what are the updates in the new release. But, first, let’s do a quick intro on Flux. What is Flux? Flux is a tool that checks to see if the status of a cluster matches the git...

Event Driven Architecture Demystified (For Pros)

Event Driven Architecture Demystified (For Pros)

Event-Driven Architecture or EDA is talked about with pride inside any organization. But, through last few months, I have noticed a trend that the definition of EDA is not consistent across people and organizations. It’s vague. EDA is something where you have events...

Interested in what we do? Looking for help? Wanna talk about software strategy?