Follow us

24 million records of Vimeo Livestream have been scraped and are available for free on the DarkNet

Hackers have published a database of Vimeo’s confidential user data over 7 GB in size.

Updated: October 20, 2021 By Darina Shramko

Vimeo live stream 24 million records leak

Image source – livestream.com

Undoubtedly, this week was one of the worst not only for Mark Zuckerberg and Instagram and Facebook users.

A couple of days after the hacking of more than 2 million accounts of Snapchat users, 24 million records of LiveStream user profiles were given for free on the popular DarkNet forum!

Livestream Has Joined The Vimeo Family

Livestream.com/blog

Livestream.com is a streaming service that recently joined the Vimeo enterprise family and is now providing services under the Vimeo trademark.

Hacker’s post about Livestream user’s database leaked

Hackers never cease to amaze with their cynicism and are ready to turn the entire personal life of users inside out, which they publish for free on dark forums.

What data was scraped?

While technically scraping is not equal to a data breach, it can be accomplished using designed and allowed access methods and unofficial methods or holes in security.

It is not clear yet, where the data comes from, but it contains confidential information about LiveStream users, namely:

  • full username
  • social networks
  • email
  • time zone, etc.

The cybercriminal gained access to all the data that users leave when registering in the application.

The hacker provided a sample − a fragment of the compromised database:

Database samples

In addition to the sample, hackers also attached a link for a complete download of the LiveStream user database, weighing over 7 GB!

7.2 GB folder of user’s data

How serious are the consequences?

The hacker gained access to 24 million user accounts of LiveStream − which means that the size of the leak exceeds the population of Florida!

Now, with such a set of data in their arsenal, attackers can blackmail, threaten, apply moral pressure and other illegal actions against innocent users.

Typically, these hacks are carried out for phishing − the most common method of social engineering.

Warning: Always check the URL of the site you are visiting! Be careful: even one minor character in the site address (for example, a comma or a separating line) can indicate fraudsters.

We analyzed the compromised database in detail and concluded that the full name, mail, and social networks info is enough to implement a large-scale cyber-attack.

The thing is that databases of users of popular applications are published and sold on dark forums every day (for example, recently, the data of 18 million Twitter accounts were leaked to the network).

Cybercriminals can use other leaks to supplement the information already available about you with new details so that they can later use it against you.

Immediately after the discovery, our team was heading to Livestream support. Unfortunately, we failed to notify them about the potential breach. The way to report is quite long, especially for security breaches, and requires account registration on the bug hunting platform as a bug hunter.

Find a security vulnerability page on Livestream

Update 19.10.2021: The Cooltechzone recently was approached by a representative of Vimeo.  A Vimeo provided us with the following comment:

"We have completed an internal investigation and determined that neither the Livestream platform nor existing security controls were compromised, and the user data in question is information already publicly available. Data scraping is an illegal activity, and one we take serious efforts to prevent. In this case, our existing controls were not effective at blocking this activity and we have taken immediate measures to prevent this from happening in the future."

Vimeo spokesperson

How to avoid becoming a victim of hackers?

If you suspect suspicious activity on your LiveStream profile or another social network, take these preventive measures:

  • Don’t share confidential data with other LiveStream users (even if the interlocutor is very convincing)
  • End all active sessions and change passwords and then write them down in the password manager
  • Turn on two-factor authentication (if not already enabled) for all your social media accounts
  • Use different passwords for all your profiles
  • Don’t correspond with suspicious strangers and don’t follow links. Even if you received a message with a link from your friend − check whether he is sending a message; otherwise, his account could be hacked to spread phishing emails
  • Change passwords for all your social media profiles every six months
  • Use complex names for your email accounts − this will make it more difficult for attackers to hack your email using social engineering
  • Don’t leave publicly available information about your phone number and date of birth

We will follow further developments and will be sure to inform you about new details and incidents in the world of cyber security!

About Vimeo

According to the official website, Vimeo is the world's largest ad-free open video platform. It was established in 2004 and is headquartered in New York. Today Vimeo provided tools to create, store, share, stream, and sell high-quality videos.

Status on October 2021 Vimeo

  • has over 230 million users
  • covers more than 190 countries
  • reached 100B+ videos views
  • adds 350k new videos per day-to-day
  • the employee for about 1000 people around the globe

Be mindful!

Tags: 
Leaks
Author
Darina Shramko
Cybersecurity specialist and researcher.

Leave a comment

click to select