A database of 44 million users of the online movie app ‘Start’ was leaked online. The 7GB database consisted of the first/last name of the users, their email address, hashed password, IP addresses, country, and the start/end date of the subscription to the service.
Troy Hunt, a renowned Security researcher, discovered a channel where the compromised data was easily accessible. “Found the channel where this was posted; if you’ve seen a download link anywhere, please drop me a DM,” Hunt tweeted while sharing a translated version of the data breach.
Found the channel where this was posted (translated version below), if you've seen a download link anywhere please drop me a DM pic.twitter.com/ftVQkTyamD
— Troy Hunt (@troyhunt) August 29, 2022
Telegram user ‘Information Leaks’ shared the information
‘Start’ is a subscription-based streaming service provider that offers Russian content to international users. The application includes TV shows, Russian movies, and documentaries. With a wide variety of content available for its users, the platform has a diverse user base and has TV series and movies dubbed in over 20 languages.
A Telegram user, “Information Leaks,” shared the news regarding the data leak on the channel, stating that around 43,937127 accounts had been compromised. The user also shared the list of all the data, including sensitive information about the app users, like their IP address, hashed passwords, and more.
According to the information available, the data leak had a wide range of geographical coverage — including 24.6 million Start app users from Russia, 2.3 million from Kazakhstan, 2.1 million from China, and 1.7 million from Ukraine.
The leaked data that was posted on public domains have been blocked by Start. The company checked the data records from the dump using the password recovery function on the start.ru website. Post the analysis, it was found that the 44 million users were indeed signed up on the Start app, and the leak was valid. The analysis also revealed that the data dump was done after September 22, 2021.
Start confirms data leak
According to Meduza.io, which first reported the incident on its website, Start confirmed the data leak and fixed the vulnerability. Access to the leaked data was blocked, and the company claimed that the information leaked was not updated. The data was from 2021, and users may not face any issues other than the leaked email and phone numbers that hackers could use to connect to the user. Start also confirmed that the leaked data did not contain any open passwords or browsing history of users and did not include users’ bank details or financial information.
