Hackers are selling data centre login credentials of some of the world’s largest corporations, including Alibaba, Amazon, Apple, BMW AG, Microsoft, and Walmart among others, reports Bloomberg. The list of corporations also includes some in India among them, Bharti Airtel and the National Internet Exchange of India. 


According to the report, a US-based cybersecurity research firm Resecurity Inc revealed that hackers got hold of login credentials for two of the largest data centre operators in Asia: Shanghai-based GDS Holdings Ltd. and Singapore-based ST Telemedia Global Data Centres. According to Resecurity, about 2,000 customers of GDS and STT GDC were affected. 


Affected Firms


The leaked data include credentials in varying numbers for some of the world’s biggest companies, including Alibaba Group Holding Ltd., Amazon.com Inc., Apple Inc., BMW AG,  Goldman Sachs Group Inc., Huawei Technologies Co., Microsoft Corp., Walmart Inc., Bharti Airtel Ltd., Bloomberg LP, ByteDance Ltd., Ford Motor Co., Mastercard Inc., Morgan Stanley, Paypal Holdings Inc., Porsche AG, SoftBank Corp., Tencent Holdings Ltd., Verizon Communications Inc., and Wells Fargo & Co., according to the security firm. 


The report also revealed that hackers have logged into the accounts of at least five of the affected firms. At GDS, the hackers accessed an account for the China Foreign Exchange Trade System, an arm of China’s central bank, operating the government’s main foreign exchange and debt trading platform. 


At STT GDC, the hackers accessed accounts for the National Internet Exchange of India, an organization that connects internet providers across the country, and three others based in India: MyLink Services Pvt., Skymax Broadband Services Pvt., and Logix InfoSecurity Pvt., the report said. 


However, the report added that it’s not clear what the hackers did with the other logins.


How The Leaked Data Came To Light


According to Resecurity, the hackers had access to the login credentials for more than a year before they posted it for sale on the dark web last month, for $175,000. 


The hackers said in the post, “I used some targets…But unable to handle as total number of companies is over 2,000.”


The post said, “DBs contain customer information, can be used for phishing, access of cabinets, monitoring of orders and equipment, remote hands orders…Who can assist with targeted phishing?”


Resecurity in a blog post on February 12 said, “The initial indicators of this activity were identified in September 2021 - proper early-warning threat intelligence notifications have been disseminated to two data centre organizations based in China and Singapore. Additional intelligence was acquired at the end of 2022 related to the same activity and addressed for further incident response (IR) to the appropriate parties. The most recent update was received in January 2023 and shared in a timely manner. Around that time both data centre organizations began forcing their clients to change their passwords and released a notification of a security policy update.”


“The initial early-warning threat notification about this activity was sent around September 2021 with further updates during 2022 and January, 2023,” the cybersecurity firm added. 


In late January, after GDS and STT GDC changed customers’ passwords, the report said.  


According to Resecurity, even without valid passwords, the data would still be valuable — allowing hackers to craft targeted phishing emails against people with high-level access to their companies’ networks. 


What Data Centres Said


GDS Holdings in a statement said that a customer support website was breached in 2021. 


However, both companies told Bloomberg that the rogue credentials didn’t pose a risk to clients’ IT systems or data.


Michael Henry, former chief information officer for Digital Realty Trust Inc., told Bloomberg, “This is a nightmare waiting to happen.” He said that the worst-case scenario for any data centre operator is that attackers somehow get physical access to clients’ servers and install malicious code or additional equipment. 


Cheryl Lee, a spokesperson for the Cyber Security Agency of Singapore, told Bloomberg that it “is aware of the incident and is assisting ST Telemedia on this matter.” 


GDS in its statement said, “The application which was targeted by hackers is limited in scope and information to non-critical service functions, such as making ticketing requests, scheduling physical delivery of equipment and reviewing maintenance reports…Requests made through the application typically require offline follow-up and confirmation. Given the basic nature of the application, the breach did not result in any threat to our customers’ IT operations.”


STT GDC said, “The IT system in question is a customer service ticketing tool” and “has no connection to other corporate systems nor any critical data infrastructure.”


“No unauthorized access or data loss was observed,” according to STT GDC. 


The hackers obtained email addresses and passwords for more than 3,000 people at GDS — including its own employees and those of its customers — and more than 1,000 from STT GDC, according to the report. They also stole credentials for GDS’s network of more than 30,000 surveillance cameras.