New Data Breaches Discovered at Lübeck IT Firm

An IT company based in Lübeck has been implicated in a series of ongoing data breaches following a ransomware attack that occurred last year. Despite the incident, vulnerabilities within the company remain unresolved.

The firm, known as Melting Mind, received a notification from the Federal Office for Information Security (BSI) in April 2024, indicating potential data leaks from their systems. This information is still accessible on the company's official website.

According to reports, the hacker group APT73 announced a breach of Melting Mind's servers, threatening to sell the stolen data. The company's owner disclosed that a ransom of EUR50,000 was demanded in Bitcoin. An agreement was reached to pay EUR3,000, after which the firm alerted its clients to secure their data. However, the reports suggest that both the ransom and the customer data were ultimately lost.

Despite making the payment, the stolen data was subsequently published on a leak site in the dark web, packaged in a ZIP file.

Furthermore, a vulnerability search engine called Leakix has revealed that data leaks from Melting Mind are still prevalent. At the time of this report, the search engine returned numerous results related to the company's domain, indicating the presence of sensitive files accessible on the web.

Leakix functions similarly to well-known search engines like Shodan, scanning publicly accessible websites for system files, including .DS_Store files that contain directory metadata. In many instances, employees may inadvertently expose these files on web servers, allowing unauthorized access to critical information.

Among the findings were .git folders, which can enable individuals to download entire website source codes from exposed repositories. This could include plaintext database credentials or indicate that passwords are hashed using only MD5 with a salt--an insecure practice.

Alarmingly, access credentials available on Melting Mind's website provided entry to an SQL database containing around 17,000 customer records, including over 3,000 bank account details. Reports suggest that this sensitive information has been publicly accessible since at least 2022.

In response to inquiries, a representative from Melting Mind stated that the firm is currently assessing the extent of the breach and investigating its source. They assured that protective measures would be implemented promptly. Additionally, they plan to report the incident to relevant authorities within the required timeframes.

As of now, the Schleswig-Holstein Data Protection Officer, Dr. h.c. Marit Hansen, has not commented on these developments.