Russian media streaming service Start acknowledged a data breach involving email addresses and phone numbers while seeking to downplay the severity by telling users that no passwords, payment card or viewing data was involved.
The vulnerability that led to the breach has been fixed, the company says.
Start has a presence in 174 countries; no threat actor has claimed responsibility for the attack.
Russian-language Telegram channel “Data Leak, which monitors the dark web for possible data leak claims, published what appear to be screenshots of the leaked information on the platform. It says the 72-gigabyte leaked database contains information on nearly 44 million customers, and that 24.6 million of them are from Russia, 2.3 million from Kazakhstan, 2.1 million from China and 1.7 million from Ukraine.
Threat actors appear to have exploited an exposed MongoDB database flaw to exfiltrate the data in JSON format. Data Leak contradicts Start’s statement by asserting the exposed information includes customer usernames, hashed MD5 encrypted passwords, IP addresses, countries of registration, subscription start and end dates and last login details. The entries are from Sept. 19, 2017, to Sept. 22, 2021.
