Doxbin Gets…Doxxed? Leak Purportedly Sourced From Paste Site Exposes More Than 41,000 User Credentials

On January 5, a threat actor on the illicit forum XSS posted a leak allegedly sourced from Doxbin[.]com, a well known paste site where users would post doxxing information including personally identifiable information (PII) on individuals and family members. In the post, they noted that the data was not taken by them. The data had originally appeared on a Telegram channel used for communications by Doxbin users.

Flashpoint analysis: What was leaked and what it means

Flashpoint analysts conducted an analysis of the alleged Doxbin database and identified a total of 41,544 unique user entries. Fields in the dataset include usernames, email addresses, and passwords in addition to user agent strings as stated above.

A cached page of Doxbin’s terms of service page states: “The only ‘real’ information we obtain is your user agent string which is wiped from our servers after 7 days.” This suggests that the administrators of Doxbin lied about the information that they collect on users.

The volume of unique usernames within this dataset suggests an average number of users are interested in doxxing attempts. At least compared to the broader illicit online ecosystem. Based on analysis of the email addresses in the dump, most users are unlikely to be sophisticated threat actors. Additionally, it is worth noting that one of the users appearing in the dataset may access the site for research. Or, out of idle interest rather than in an effort to conduct doxxing attempts or submit doxxes.

Alleged double-crossing and in-fighting

Following the leak of this database, Doxbin[.]org was updated to display a message claiming that the previous owner of the site decided to leak the database after selling the site back to the original owners. The message claimed that this previous owner is a minor and included their alleged aliases. They also included details about other illicit online activities.

Threat actors within illicit communities that operate sites such as Doxbin regularly harass and conduct retaliatory activities against one another. This also includes doxxing or attributing malicious activities to the targets of their ire.

Doxing can also be used as leverage or extortion against administrators of a website. For example, Flashpoint observed threat actors publish personal details of the owners of the Russian language marketplace Hydra. They also published the administrators of the Russian-language Narco forum Legalizer.

Getting ahead of the message

The post also claimed that any other assertions from actors about having dumped the database from Doxbin were false. This may have been in response to the reposts of data that have appeared on sites like Raid Forums. Sometime later, the site went offline and as of this writing, is not accessible. Administrators have claimed that it is down for maintenance.

What’s a dox?

The goal of doxing is to obtain any and all information pertaining to the target; valuable information in so-called “name and shame” campaigns includes the target’s full name, address, phone number, employer, family and friends’ names, and compromising pictures. The priority information for doxxers is dissimilar to that for hacktivists, who typically attempt to gain additional personally identifiable information (PII), such as date of birth, Social Security Number, and financial information. Doxxing techniques range from simplistic Google searches to the use of more fee-based and/or advanced tools, such as Maltego and Intelius.

In this capacity, most doxxing attempts are conducted by inexperienced operators who infrequently validate their findings through cross-referencing or deductive reasoning to eliminate false positives. These shortfalls frequently lead to false accusations and misinformation, putting non-affiliated individuals at risk.

Identify and mitigate cyber risks with Flashpoint 

Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.