Billions of Infostealer Logs Exposed: How Web Hosts React to Abuse Complaints
I filed abuse complaints for multiple hosts and I'm sharing some of the struggles and what it took to close down over 4 billion records.
Servers with exposed infostealer malware logs routinely show up on my alerts for exposed data. The origin of the logs or who is responsible for the exposure is usually unknown and hard to identify.
Some have clear indicators that a public tool was used to extract the data of hundreds of Telegram channels and import it to the database, others just contain the raw data inside.
The abuse complaints on this post relate to 6 servers that totaled over 4 billion records and over 200 million unique email addresses.
The amount of exposed logs I see come and go over time is much higher but I don’t have time to file complaints for every single server.
It’s hard to assess how much unique data is actually in such servers as people sometimes use the same sources to grab the data or aggregate data that doesn’t originate from infostealer malware but instead older data breaches or leaks.
Even though my priority isn’t closing down infostealer logs and I understand there are multiple reasons for companies to have this data, in no way this should be publicly exposed for anyone to query. Abuse complaints to the hosts work quite often and take anywhere from 1 day to a couple of weeks to get everything fixed unless…
2 Billion records hosted on Microsoft? This will be an easy one...
At the end of September 2024 I noticed a publicly exposed database and inside was a single index, with over 2.1 billion infostealer records.
I did a lookup on the IP to check the host and it was being hosted by Microsoft and the abuse contact mentioned both https://msrc.microsoft.com/report and abuse@microsoft.com.
I tried the link first and I wasn’t sure what incident type this should be reported under so I tried the one that said IP Address - Illegal.
The MSRC portal abuse report form mentions something that will be important in just a second:
“It also includes distribution of malicious or illegal content through a Microsoft Online Service.”
I received an ack email shortly after that contained some case information.
Around an hour later the case got closed. The reply says my report was reviewed and couldn’t be validated.
I decided to try the abuse@ email instead. That did not produce any response.
I sent another complaint through MSRC portal again a few days later. The case was closed within one hour again, the exact same response as before.
Trying a different approach
I was chatting with @PogoWasRight from https://databreaches.net and she suggested I should make a post about it on my infosec.exchange page to see if anyone had contacts that could help with this.
I filed a complaint around the same time of the post to https://www.ic3.gov. I got no reply from it.
At the end of October almost a month after I initially saw this exposed, I was back looking at this server and thinking I should try some of the suggestions but then I had another idea.
I sent Troy Hunt from https://haveibeenpwned.com a message asking if he had any contacts at Microsoft that could maybe help with my tickets being ignored.
A few days later, Troy connected me with a security person from another team that opened an internal ticket and within 24 hours, on October 28th 2024, the server with the infostealer logs was gone.
So where should I report this to?
A few things were asked:
Why my tickets were ignored and where should I report incidents related to cloud storage exposed servers with sensitive data that I can’t ID their client or I can but they aren’t replying to notifications.
No one came forward to give me a direct answer as to why the tickets were ignored.
The official response from Microsoft regarding where I should report everything to is their MSRC Portal but did they not commit on which option I should pick to not get ignored.
It wasn’t easy with a Brazilian host either - 206m records
On September 15th 2024 I had another server to report, this time hosted in Brazil and a dataset built specifically for their citizens with all the records being related to Brazil.
The abuse report contacts for the server contained a gmail account and a couple of cert.br emails so I tried those.
Two weeks after my email nothing had changed and I had no reply so I added a few ctir.gov.br emails as well this time and sent a message with the information.
The next day cert.br replied.
I was told I emailed the proper contacts so I did not try to contact anyone else regarding this.
Over the next few months I checked often to see if anything changed and the data kept being public besides brief periods where the server would timeout.
Eventually at the start of 2025 the server was gone and I have not seen the data exposed since.
What about other hosting companies?
Sometimes things just get closed after an email or two. I don’t always get replies for the complaints so I can’t be sure if they were effective or not.
Reliablesite - 1b records
On June 18th 2024, after checking the IP whois information, I went to Reliablesite’s website and talked with their live chat asking where I should report the server I had found. I was given an email to send the information to and I sent it the same day.
I was told on the same day the information was forwarded to their client and would be updated upon resolution. A couple of days later the server was gone.
On June 26th Reliablesite got back to me and showed me they were trying to contact the owner and he didn’t reply. They also warned the owner the IP would be null routed if they didn’t address the complaint, which is probably why it stopped working.
Privatelayer - 400m records
On June 20th 2024 after checking the IP whois information of another exposed server, I sent an email to the abuse contact with the information. I did not get any kind of reply or ack from my abuse report so I can’t confirm the complaint was the reason for closure but within 48 hours the exposure was fixed.
Tynahost - 300m records
I’m not sure if my report was what closed this server either as I never got a reply back.
On August 25th 2024, after IDing the host of another server, I sent a message to Tynahost abuse@ and contato@ emails with the information. On the same day the exposure was fixed.
Digitalocean - 123m records
On June 18th 2024, while chatting with another host on live chat (mentioned above), I filed an abuse report, this time to a server hosted with Digitalocean. They have a form on their website for abuse reports so I used that.
Shortly after I filed the complaint, I got a reply thanking me and saying they located the associated account and would review and solve the issue as soon as possible. On July 1st the exposure got fixed.
Bonus mention, Hetzner - Hacked data
This server did not contain infostealer logs but instead data from multiple US companies data breaches that ended up leaked later online.
After contacting Hetzner, they reached out to their client to look into and fix the issue. They also asked them to provide a statement about it. Less than a week after my email they blocked access to the IP.
You can read more details about the complaint here: https://infosec.exchange/@JayeLTee/112712404038214723
Sometimes not reporting anything solves the issue as well
A lot of data that is exposed publicly, if left exposed for long enough and with permissions enabled that allow data deletion, it usually ends up being hit by wiperware.
Just recently, in early February, I saw a server with over 3.5 billion infostealer logs that had been exposed for around two weeks, completely wiped and a ransom note added for the recovery of the data. I saw easily over 10 billion records of random data be wiped that same week.
The amount of time it takes to extract this much data, the costs to store it and the high frequency that the wipes occur on exposed servers lead me to believe that paying for recovery would be pointless as it’s unlikely they backed up the whole data or anything but a few samples.
Final comments
Unfortunately wiperware doesn’t hit only infostealer data and has been running routinely for years on multiple services and wiping anything publicly exposed that has no protection against data deletion enabled.
Sometimes it’s a race against the clock to try and warn companies of their poor security practices and doing that looks kinda like this:
If you’re interested in more incidents I dealt with, you can check all my public finds indexed by country on the post below:
