180 Million Orders: The Dominos Breach and what you should learn from it

Published 27.05.2021

Author Hrittik Roy

Categories Investigation

The Dominos leak got me excited, and in no time, my device had the tor browser installed. This post is a detailed walkthrough of the Dominos data breach. I will cover how I managed to connect through all the technicalities to the leaked database and find my and acquaintances’ data compromised.

This volume of data circulating is mind-blowing, with the details of the leak being negligible. Now evangelism is important, and I turn my broadcast speakers towards the global audience. Sharing is caring.

I would also instruct you how not to get f**ked over by these big companies 🙂 Cool story, let’s start!

What is the Dominos India Data Breach?

The questioned data had 180 million order details, names, emails, mobile numbers, GPS coordinates, etc., and is confirmed to be sold for 10 BTC (around 600k USD at the peak). Clearly, someone is making money from this breach, and someone is profiting by using the data.

Dominos Breach
The Listing for the Dominos Breach

The total size of the NoSQL database is around 13 TB and is available in the public domain through a simple search on the tor network. Now, a fun fact Dominos didn’t care to inform users about the breach till the data was found circulating on the dark web.

The data hosted on Amazon S3

Dominos Breach Directory Tree
Detailed view of the S3 bucket

Companies should have a moral responsibility to tackle and inform breaches and not care only about the bottom line. But who’s about to make them understand responsibilities? The bottom line is quite fun just to be focused on.

Dominos Breach Notice after 2+ Months
Dominos Breach Notice after 2+ Months

The Reality and Consequences

Customer data is quite important for any organization from a business point, and data trade is quite common. Now, you get the answer on how your email address is already bombarded by a few companies or people you never signed up for or shared it 🙂

The customer data and analytics sector is massive, and it is used to target every aspect of your life, from politics (such as Cambridge Analytica) to your purchases.

Dominos Breach stats and point of contact
Dominos Breach stats and point of contact

The customer analytics market is expected to increase at a compound annual growth rate (CAGR) of 18.2 percent during the forecast period, from USD 10.5 billion in 2020 to USD 24.2 billion by 2025.

Then what’s the issue with the leaks?

It’s good that we aren’t in dystopia, and companies only care about making more money from you and not harm you personally. Leaving out agencies pursuing non-violent criminal suspects (like U.S. Immigration and Customs Enforcement).

But the issues are severe when your ex gets hands on them. You had a good ex? Wow unique.

Then think about some random guy who got your email via your GitHub commit messages. Now the person can do a lookup and get your address, phone numbers. Trust me, I don’t want to give you a headache. But these companies are I am just telling you the truth 🙁

TRUTH is bitter but NECESSARY.

Aight mate, calm down and let’s provide you with solutions to take responsibility for your data and don’t rely on these companies. Just one more section. I want to share something cool.

A bit of Nerd stuff that I’m proud of

Skip this if you don’t like the cool stuff. I find messing with my terminal cool XD

Read through if you need some quite advanced stuff that helped me not to appear in one data breach yet 😉

Dark Web
Dark Web Source: webhostingsecretrevealed

Dark Web is where the data was hosted, and to access you need tor browser (easy to install), and you must throw in a VPN for advanced protection.

I’m not particularly eager to use VPN from a service provider. So, I thought to spin one OpenVPN server and use a client to connect with it. All said and done, I found my license wasn’t working with the open VPN server.

Azure Portal showing a running VM
Azure Portal showing a running a virtual machine

I discovered that the license is already used on a deallocated VM in my Azure subscription. Now spun the VM again and found the private keys in my download folder. Quite unexpected as I have 30/40 .ppk files lying around on my pc. Why .ppk and not .pem? I was on my windows.

.ppk and .pem are the encryption keys. Being an average user, you don’t need to understand them, and if you can, head to the let’s talk section and let us help you with your DevSecOps.

Anyways I SSHed into the system using putty and then found I forgot the password, the ports, and everything associated with the OpenVPN access server. To get a license, I needed to go into the admin portal to connect; I needed to do the same thing.

Now I am stuck in a terminal looking all around the files for some lead. I was so lost that I forgot encryption exists, and maybe the credentials I am looking for would look gibberish without decoding.

I am not sure how many times I used the command cat. Eventually, I thought to connect it to a GUI explorer and explore using GUI but no leads.

But I had the terminal with me—time for the cooler stuff.

For the username, I used whoami with a soft reset to my VPN server (using passwd username) and a new password on my clipboard for this user.

Password change on a Linux system by a CLI
Password change on a Linux system by a CLI

Clipboard? I promise I would write them on paper for the next time. No risks 😉

We are doing quite well now with the passwords until I forgot the port I have configured my OpenVPN admin portal. Now, what to do? Where to find that? No leads on the documentations.

Port scanners crossed my mind and used to go through all the port on the virtual machine 😎

Here comes the part where I realize that I don’t have any experience with the port scanners. I need to figure everything about them.

Google was my friend with benefits. I struck on the online tool, and Google got to know a bit more about me. A nice relationship.

Now being quite forgetful about the fact we have 65531 ports and not 100 of them, my online tool laughed at me 😀

Back to my azure portal, I created one ubuntu distro, SSHed, and then used Nmap to find all the open ports on my VPN server. Sometimes my windows 10 breaks my heart. Anyways, it was 943 (the default one). I didn’t try to think the default ports might be the case as I always configure things for more security, and this time, I missed it.

Nmap and it's results on the dynamic IP
Nmap and it’s results on the dynamic IP

Anyways moving forward, now I forget I configured my server to be on HTTPS and not HTTP. I never had an extension to do the force forwarding to HTTPS but today realized that an ‘S’ could be such a headache. I used HTTPS, and now I am in the admin portal. I also recommend you to use HTTPS everywhere extension for added security.

The story never ends here. I was trying to configure the client to access the server, but it failed quite well.

It seems that OpenVPN is quite attached to the initial IP address, and now we need to configure the new dynamic allocated address to the server so that everything is connected.

Why not use a static address?

I don’t use static because it is costly, and it would take months before I access my VPN again 😀

Don’t wanna pay that sweet OpEx (Operational Expenditure) to Azure 👉👈

After tickling around the portal, I found the setting ”Hostname or IP Address:” and then configured my server to accept connection as the address it hosted on and not some dead address.

OpenVPN server portal
OpenVPN server portal

So, yeah, this was quite interesting, and now my VPN server is rocking 😀 Time to march towards the search engine.

I never used Nmap before, but I won’t forget it after today as this was an awesome lab for me.

What do you think about learning by doing?

Search Engine and bobby traps

The portal was in front of me. I could see the search bar, and with few clicks, all your data is under my control.

The Search Engine
The Search Engine

Or should we click? IDK sounds risky to trigger responses from the search box, and I prefer to use the API. The API was quick to be located, and I found two of them.

Learn more about APIs here.

Event for the search Engine

The first API was for user stats and the second one was for data—both equally important.

Before my first search, the site went down, and I had to wait for a couple of hours, contact a couple of sources to get the latest link. Found a new one with working condition.

The stats

Stats API

You can see we had _______ searches and __ visits. So many people and bots, trying to gather every ‘byte’ they can.

OG Intel

Now, after getting the consent of a friend, I ran his number found good original stuff. From his coordinates, address, emails to order history.

Data API

Just imagine how much harm you can do to a person by disguising as a customer care representative from dominos with all this other history and personal information beside you. Social engineering at its peak. Thanks, Dominos.

Being in a relationship with my security

Now the things you are waiting for are here—the age-old question of how to be safe. I follow few practices, and this might be helpful. Let’s list them without any order of importance.

Two phone numbers

Try using your business number on most websites and keep your number to your important accounts like Demat or bank. You get what I say. Right?

Not one email

Same as the numbers, try using multiple emails to tackle one email id getting compromised. Modern mail clients are quite powerful to manage a lot of email id at once with no effort on your end. Google about this.

For E.g., I use one for communication, finances, random orders, risky sites…. The list goes on, and I don’t want the next hacker looking through my profiles to find how many email id I have. So sorry, not sorry. Figure your requirements on your own.

2FAs

These dominos leaks didn’t have your passwords, but some do. So, try using sign-in with google/ apple most of the time. It’s way safer, and don’t forget to add an authentication app like Authy, Google Authenticator, or Microsoft authenticator for more protection.

Two Factor Authentication

VPNs

A VPN connection might help, and if you are casually browsing, proxies can help you with your requirements. I prefer to use proxy as that is kind of faster.

Learn more about the difference here.

Alerts are your best friend

You can take action when you’re aware something is wrong. Haveibeenpwned helps you with this by sending you alerts when you’re pawned, and then you can retaliate and change or block cards/numbers to prevent misuse.

Final Thoughts

Data is important in the world of micro-targeting. You’re not safe from companies, but these steps would help you stay safe from the bad actors.

I hope you enjoyed the post and are ready to be safe. Recommending you a small Netflix series this weekend that would open your eyes to the data transfer behind the closed doors 😉

Update: The search engine has been taken down and you can’t look for the data. By the time it went down it had 50 thousand page views and 50 million searches.

Happy Exploring!

Join 100+ cloud native enthusiasts

and stay in the loop on modern software development.

Sign up to receive exclusive content around cloud native software development right into your inbox.

We don’t spam! Read our privacy policy for more info.

More stories from our blog

What’s new in Kubernetes v1.21.2?

What’s new in Kubernetes v1.21.2?

It's June, and Kubernetes has released a new update with version 1.21.2. We will have a look in brief at the changes that came along with this update. We will also have a look at the bugs that Kubernetes removed ahead with the few things added. Let's roll. Changes...

Chaos Engineering: Not so Chaotic

Chaos Engineering: Not so Chaotic

It feels very complex when we talk a lot about cloud computing and developer operations. Furthermore, certain things look complicated, but they are not so if we easily understand those concepts. Today, we will discuss such a thing that sounds complex but is simple and...

On Charming Engineering Culture: My Notes

On Charming Engineering Culture: My Notes

Engineering teams are at the core of any modern organisation. They break/make an organisation, and empowering them is critical to any modern companies’ success. A motivated engineer brings more value than a ‘whatever’ engineer. Its high time managers and leaders focus...

Observability: Your Eyes in Cloud

Observability: Your Eyes in Cloud

Observability is all around the cloud. You might come across the term while exploring the vast stretches of documentations or blog posts, maybe videos or streams too. Well, from far you might have seen that this is a very broad term, and it’s expected. The topic is...

Cloud Firewalls Simplified: Beginners  Edition

Cloud Firewalls Simplified: Beginners Edition

Cloud technology is everywhere. From your photos to big corporations carrying out their day to day operations. But have you ever thought about the security needed to protect this vast pile of data? Security from external attacks by threat detection and elimination is...

Object and Block Storage: How They Differ?

Object and Block Storage: How They Differ?

The difference between block and file storage makes heads spin due to the complexity of definitions and technical jargon across the internet. Even a technical person sometimes forgets the business value and makes decision fatigue their best friend when trying to...

Helm: Why DevOps Engineers Love it?

Helm: Why DevOps Engineers Love it?

Kubernetes doesn’t have reproducibility built-in. At least, that’s what we hear most people complain as a cloud native consultation firm serving both startups and enterprises. I have been using Kubernetes for a while now, and it stands up to the mark of being a gold...

Portainer vs Mirantis: My Experience in 2021

Portainer vs Mirantis: My Experience in 2021

A while ago, I came across a video about two types of people - one managing and writing lines and lines of code and the other using Portainer. Quite exciting, and back then, I started to compare the available GUI options in the market to get my bucks’ best value. The...

Interested in what we do? Looking for help? Wanna talk about software strategy?