A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.
— Data Breach Today
According to this article at Data Breach Today, attackers were able to access and expose 1.4GB of data from the Qatar National Bank in Doha that contained details including national identification number, social media profile links, card numbers, expiration dates, logins, passwords, password-reset questions, PINs and more for hundreds of thousands of bank customers. Though QNB has not (yet) commented officially on the breach, multiple security authorities / experts (noted in the linked article) have indicated that the data appears to be legitimate. Aside from the obvious (if you are a QNB customer, right now would be a good time to update / change your information or close the account [I didn’t see any indication that they knew how the breach happened or that it had been resolved]), there are a couple of take-aways here:
- The article mentions a couple of times that the leaked data included passwords. Not hashes (or salted hashes), but passwords.
- In addition to the massive cache of customer data that was leaked, the article also mentions that the leak included “…banking documents, including sensitive information on the bank’s retail business and banking application, plus administrator-level account access details“. Based on this, I am not going to be surprised to find holes later in the banking application or that the attacker has setup persistence and is able to re-enter the network (and dump data again) if the bank isn’t thorough in their remediation efforts.
- The leak included logins, social media account information and password reset questions (and presumably answers, all in plain text). This underlines the importance of not re-using security / authentication information across multiple sites. Even an unskilled attacker could use the information in a targets social media account to find other accounts that may use the same login / password and / or password reset questions.