Card Thieves Suffer a Breach of Their Own

Even card thieves can have data breaches.

Much of the card data that is stolen in data breaches is resold to other fraudsters before it is used. However, the online storefronts that put these card numbers up for sale are, themselves, just as vulnerable to being hacked.

"A prime example" is mn0g0.su, Brian Krebs reported Friday on his blog Krebs on Security. The site, which takes its name from the transliteration of the Russian word for "many," exposed its inventory of 81,000 card credentials when it was backing up its data to a third-party server, which did not use encryption.

Mn0g0.su also exposed its own customer list, Krebs wrote. The email addresses, IP addresses, usernames, passwords, and ICQ chat numbers for 4,300 people who shopped at mn0g0.su were also visible.

"The customer passwords were better protected than the credit card numbers," Krebs wrote, in that they were encrypted. However, at least half of those passwords could probably be deciphered by password-cracking tools over time, he wrote.

Krebs said he learned of this breach from "a source who enjoys ruining criminal projects." The stolen data exposed in the breach includes card account numbers, names, addresses and, in some cases, Social Security numbers.

The site lets visitors shop for stolen card data by issuer, ZIP code and card type, Krebs wrote.