Ethical hacker accesses sensitive data of Belgians via old domain names – Computer – News

Ethical hacker Inti De Ceukelaire gained access to sensitive information of Belgian residents by registering expired domain names for government services. He purchased 107 different domain names, including the names of police districts, hospitals, and legal institutions.

De Ceukelaire bought the domain names for about eight euros each, this way he writes in a blog post. The domain names came from various Belgian public institutions and government services. For example, this concerns 44 OCMWs or public centers of social welfare. De Ceukelaire also bought 32 former police district ranges, 12 of which CAWAnd 12 from student counseling centers, 4 from hospitals, and 3 from legal institutions, such as local courts.

Through the domain names in his possession, De Ceukelaire was able to receive emails directed to the domains in question. The white hat hacker searched for old email addresses for different domains via public sources. He then looked into whether he could theoretically reset passwords for popular cloud services.

De Ceukelaire said he was able to identify 848 different email addresses in one week. The hacker successfully obtained “password reset” emails for 80 Dropbox accounts, 142 Google Drive accounts, 57 Microsoft, OneDrive, and Sharepoint accounts, and dozens of Smartschool and Doccle accounts. He is not actually logged into these accounts.

The ethical hacker also received hundreds of other messages in one week. This included information about detainee releases, reminders about payment arrears, emails about the health of vulnerable people, insurance reports, and more. De Ceukelaire deliberately did not read those emails; Content can be extracted from topics.

An ethical hacker will attempt to return domains to their rightful owners, He tells VRT. De Ceukelaire also recommends that organizations and companies automatically renew domain names, or at least renew them for “at least ten years,” to prevent this type of data leak.