The Dominos leak got me excited, and in no time, my device had the tor browser installed. This post is a detailed walkthrough of the Dominos data breach. I will cover how I managed to connect through all the technicalities to the leaked database and find my and acquaintances’ data compromised.
This volume of data circulating is mind-blowing, with the details of the leak being negligible. Now evangelism is important, and I turn my broadcast speakers towards the global audience. Sharing is caring.
I would also instruct you how not to get f**ked over by these big companies 🙂 Cool story, let’s start!
What is the Dominos India Data Breach?
The questioned data had 180 million order details, names, emails, mobile numbers, GPS coordinates, etc., and is confirmed to be sold for 10 BTC (around 600k USD at the peak). Clearly, someone is making money from this breach, and someone is profiting by using the data.
The total size of the NoSQL database is around 13 TB and is available in the public domain through a simple search on the tor network. Now, a fun fact Dominos didn’t care to inform users about the breach till the data was found circulating on the dark web.
Companies should have a moral responsibility to tackle and inform breaches and not care only about the bottom line. But who’s about to make them understand responsibilities? The bottom line is quite fun just to be focused on.
The Reality and Consequences
Customer data is quite important for any organization from a business point, and data trade is quite common. Now, you get the answer on how your email address is already bombarded by a few companies or people you never signed up for or shared it 🙂
The customer data and analytics sector is massive, and it is used to target every aspect of your life, from politics (such as Cambridge Analytica) to your purchases.
The customer analytics market is expected to increase at a compound annual growth rate (CAGR) of 18.2 percent during the forecast period, from USD 10.5 billion in 2020 to USD 24.2 billion by 2025.
Then what’s the issue with the leaks?
It’s good that we aren’t in dystopia, and companies only care about making more money from you and not harm you personally. Leaving out agencies pursuing non-violent criminal suspects (like U.S. Immigration and Customs Enforcement).
But the issues are severe when your ex gets hands on them. You had a good ex? Wow unique.
Then think about some random guy who got your email via your GitHub commit messages. Now the person can do a lookup and get your address, phone numbers. Trust me, I don’t want to give you a headache. But these companies are I am just telling you the truth 🙁
TRUTH is bitter but NECESSARY.
Aight mate, calm down and let’s provide you with solutions to take responsibility for your data and don’t rely on these companies. Just one more section. I want to share something cool.
A bit of Nerd stuff that I’m proud of
Skip this if you don’t like the cool stuff. I find messing with my terminal cool XD
Read through if you need some quite advanced stuff that helped me not to appear in one data breach yet 😉
Dark Web is where the data was hosted, and to access you need tor browser (easy to install), and you must throw in a VPN for advanced protection.
I’m not particularly eager to use VPN from a service provider. So, I thought to spin one OpenVPN server and use a client to connect with it. All said and done, I found my license wasn’t working with the open VPN server.
I discovered that the license is already used on a deallocated VM in my Azure subscription. Now spun the VM again and found the private keys in my download folder. Quite unexpected as I have 30/40 .ppk files lying around on my pc. Why .ppk and not .pem? I was on my windows.
.ppk and .pem are the encryption keys. Being an average user, you don’t need to understand them, and if you can, head to the let’s talk section and let us help you with your DevSecOps.
Anyways I SSHed into the system using putty and then found I forgot the password, the ports, and everything associated with the OpenVPN access server. To get a license, I needed to go into the admin portal to connect; I needed to do the same thing.
Now I am stuck in a terminal looking all around the files for some lead. I was so lost that I forgot encryption exists, and maybe the credentials I am looking for would look gibberish without decoding.
I am not sure how many times I used the command cat. Eventually, I thought to connect it to a GUI explorer and explore using GUI but no leads.
But I had the terminal with me—time for the cooler stuff.
For the username, I used whoami with a soft reset to my VPN server (using passwd username) and a new password on my clipboard for this user.
Clipboard? I promise I would write them on paper for the next time. No risks 😉
We are doing quite well now with the passwords until I forgot the port I have configured my OpenVPN admin portal. Now, what to do? Where to find that? No leads on the documentations.
Port scanners crossed my mind and used to go through all the port on the virtual machine 😎
Here comes the part where I realize that I don’t have any experience with the port scanners. I need to figure everything about them.
Google was my friend with benefits. I struck on the online tool, and Google got to know a bit more about me. A nice relationship.
Now being quite forgetful about the fact we have 65531 ports and not 100 of them, my online tool laughed at me 😀
Back to my azure portal, I created one ubuntu distro, SSHed, and then used Nmap to find all the open ports on my VPN server. Sometimes my windows 10 breaks my heart. Anyways, it was 943 (the default one). I didn’t try to think the default ports might be the case as I always configure things for more security, and this time, I missed it.
Anyways moving forward, now I forget I configured my server to be on HTTPS and not HTTP. I never had an extension to do the force forwarding to HTTPS but today realized that an ‘S’ could be such a headache. I used HTTPS, and now I am in the admin portal. I also recommend you to use HTTPS everywhere extension for added security.
The story never ends here. I was trying to configure the client to access the server, but it failed quite well.
It seems that OpenVPN is quite attached to the initial IP address, and now we need to configure the new dynamic allocated address to the server so that everything is connected.
Why not use a static address?
I don’t use static because it is costly, and it would take months before I access my VPN again 😀
Don’t wanna pay that sweet OpEx (Operational Expenditure) to Azure 👉👈
After tickling around the portal, I found the setting ”Hostname or IP Address:” and then configured my server to accept connection as the address it hosted on and not some dead address.
So, yeah, this was quite interesting, and now my VPN server is rocking 😀 Time to march towards the search engine.
I never used Nmap before, but I won’t forget it after today as this was an awesome lab for me.
What do you think about learning by doing?
Search Engine and bobby traps
The portal was in front of me. I could see the search bar, and with few clicks, all your data is under my control.
Or should we click? IDK sounds risky to trigger responses from the search box, and I prefer to use the API. The API was quick to be located, and I found two of them.
Learn more about APIs here.
The first API was for user stats and the second one was for data—both equally important.
Before my first search, the site went down, and I had to wait for a couple of hours, contact a couple of sources to get the latest link. Found a new one with working condition.
You can see we had _______ searches and __ visits. So many people and bots, trying to gather every ‘byte’ they can.
Now, after getting the consent of a friend, I ran his number found good original stuff. From his coordinates, address, emails to order history.
Just imagine how much harm you can do to a person by disguising as a customer care representative from dominos with all this other history and personal information beside you. Social engineering at its peak. Thanks, Dominos.
Being in a relationship with my security
Now the things you are waiting for are here—the age-old question of how to be safe. I follow few practices, and this might be helpful. Let’s list them without any order of importance.
Two phone numbers
Try using your business number on most websites and keep your number to your important accounts like Demat or bank. You get what I say. Right?
Not one email
Same as the numbers, try using multiple emails to tackle one email id getting compromised. Modern mail clients are quite powerful to manage a lot of email id at once with no effort on your end. Google about this.
For E.g., I use one for communication, finances, random orders, risky sites…. The list goes on, and I don’t want the next hacker looking through my profiles to find how many email id I have. So sorry, not sorry. Figure your requirements on your own.
These dominos leaks didn’t have your passwords, but some do. So, try using sign-in with google/ apple most of the time. It’s way safer, and don’t forget to add an authentication app like Authy, Google Authenticator, or Microsoft authenticator for more protection.
A VPN connection might help, and if you are casually browsing, proxies can help you with your requirements. I prefer to use proxy as that is kind of faster.
Learn more about the difference here.
Alerts are your best friend
You can take action when you’re aware something is wrong. Haveibeenpwned helps you with this by sending you alerts when you’re pawned, and then you can retaliate and change or block cards/numbers to prevent misuse.
Data is important in the world of micro-targeting. You’re not safe from companies, but these steps would help you stay safe from the bad actors.
I hope you enjoyed the post and are ready to be safe. Recommending you a small Netflix series this weekend that would open your eyes to the data transfer behind the closed doors 😉
Update: The search engine has been taken down and you can’t look for the data. By the time it went down it had 50 thousand page views and 50 million searches.