[German]Short information for people who have an account at the German SAVE.TV service. The service has been hacked. Here is some information what I know so far. Addendum: Also the service UseNeXT (de, nl etc.) has been hacked. A service provider seems to be the gate for the intrusion. The case has (imho) nothing to do with the Momentum Usenet client, which probably also steals access data. More details in the article.
Advertising
What is SAVE.TV?
SAVE.TV is a service that acts as an online recorder for TV shows and stores them in the cloud. MacLife has published an article (German) in 2016 introducing the service. The service is fee-based and requires registration. The operator of the service is located in Leipzig, Germany.
What is known about the hack?
German blog reader Christoph W. informed me some hours ago by mail (thanks for that) about the hack. Christoph wrote:
They [SAVE.TV provider] are no longer available since Friday evening (24.04.2020)!
He just received an e-mail informing him about a hack. He just cancelled my credit card and ordered a new one. In the meantime the vendor has also published a confirmation about the hack on his German web site – here is my translation:
Save.TV Services temporarily offline: what you should know now!
Dear Save.TV customers,
Transparency is particularly important to us right now. Therefore we would like to inform you that the security of your data may have been compromised. Here we summarize the most important facts and information for you.
What has happened?
The IT systems of our company were attacked by previously unknown third parties. The reason for this seems to be a security gap in the software of one of our partners, for which we currently have no proof. Nevertheless, there is a theoretical risk that personal data could be affected. This could potentially affect your name, billing address, payment data such as IBAN and account number, as well as other data that we have processed in the course of executing your contract.
The hack could affect personal data, and the provider is obliged under the GDPR to inform his data protection supervisory authority in a timely manner.
As a first measure, the provider has deactivated its systems and commissioned a specialised IT security company to analyse the problem and determine the exact extent of the attack.
Advertising
What should those affected do?
Those who have an account with SAVE.TV should receive an e-mail notification by now. For their own protection, the service provider suggests the following measures:
- From now on, watch out for suspicious debits on your accounts.
- Immediately change all passwords of accounts that are linked to your email address or bank details.
- Prioritize the account that is needed to restore other accounts or passwords.
- If you use your password for the account of our services elsewhere, you should also change these passwords immediately afterwards.
- Check the settings of your accounts (e.g. automatic forwarding of messages). Any changes indicate unauthorized access. If necessary, correct these settings as soon as possible.
- If you notice that someone is impersonating you, please notify the provider of the affected account immediately and arrange for the account to be blocked. Then let your friends know that your identity has been stolen.
- Pay more attention to phishing emails in your inbox and do not click on any links that you find suspicious, but report them.
These measures should be taken promptly. The provider has published instructions in the info mail and on the homepage on how to contact him.
Amendment: UseNeXT also affected
Also the provider usenext.de was hacked and is now out of order. The website has a very similar text (both websites of the hacked providers are currently massively overloaded). I suspect that a payment service provider was attacked. I found out, that Ominga was the provider used to handle some feature for both hacked services.
VPN connection at Omniga allowed the hack
Addendum: After I've published my German article at heise, a company spokeswoman from Omniga contacted me by phone (their IT infrastructure is still offline, so even email is not available). During the telephone conversation, the following information was confirmed to me.
- The problem lies with the provider Omniga, it is (according to the statement) definitely only the two customers mentioned in the above text are affected.
- Immediately after the hack was noticed, the Omniga IT systems were shut down completely as a precautionary measure.
- As a result of this shutdown, the customers UseNeXT and SAFE.TV and their services are also affected.
- It is currently impossible to say whether any data was actually leaked during the hack. The forensic investigations are still ongoing.
- The data protection supervisory authority was informed of the incident in a timely manner.
The presumed vulnerability for the hack is interesting. In the course of the Corona crisis, Omniga employees were sent to the home office. The connection to the company IT and the used enterprise software was made via VPN connections. A vulnerability within the VPN software seems to be the gatewas of the hack. Currently, Omniga is discussion with the undisclosed VPN software provider to clarify why the hack was possible. If new information is available from Omniga, I will cover it.
UseNeXT: Does malware steal access data?
Addendum: In comments to my heise article and in a mail from blog reader Ralf (thanks for that) I was informed that there is another problem with UseNeXT. In this TorrentFreak article, it's written, that the Momentum Usenet client, a software for accessing the Usenet, steals user data.
The article probably bases on this reddit.com threadwhere details are disclosed. The assumption that the UseNeXT hack has been enabled in this way is – based on my additions to the above text regarding Omniga – not likely.
