User Controls
Posts by MrHigh
-
2017-04-06 at 11:28 PM UTC in FBIWhat would the FBI do with someone like me? What kind of bad ideas for investigation. Stingray me. Hack me. What?
-
2017-04-06 at 11:25 PM UTC in SpectraLI did this for you.
http://pwoah7foa6au2pul.onion/forum/index.php?threads/for-spectral.140494/
I know is not you. But it is the closest I could find.
<3 -
2017-04-06 at 11:23 PM UTC in How is my hacking?
-
2017-04-06 at 11:20 PM UTC in LIVE HACK with Mr High(Security Hole Is Still Open!)This must have been available for a long time. I looked up on it one week after talking about it and it was still working. It seems like it may have been patched now.
http://pwoah7foa6au2pul.onion/forum/index.php?threads/free-social-security-numbers-from-wvhunt-com.139665/#post-1274063 -
2017-03-26 at 6:10 AM UTC in Over 6,000,000 SSN hacked from 10 websites by MrHigh
-
2017-03-26 at 6:07 AM UTC in How is my hacking?
Originally posted by Sophie Are we a "Top Hacking Site" fam?
Exactly. I made this for all of you.
http://pwoah7foa6au2pul.onion/forum/index.php?threads/alabama-arizona-arkansas-delaware-idahoi-llinois-kansas-maine-oklahoma-vermont-west-virginia.137895/
I know betaBay is a pussy forum but still. I just needed a place to do this. I do not want to get the admin of this place in trouble. -
2017-03-24 at 6:06 AM UTC in Over 6,000,000 SSN hacked from 10 websites by MrHigh
Originally posted by Sophie The media is known for not understanding cyber.
They never do. I was not able to get a shell on any of these servers. I did see what looked like another hacker was trying a SQL injection attack. It could have been a bad automatic maintenance routine the admin put in place. It basically listed a whole load of SQL info and info on the internals of the servers. I noticed this in several of the servers around the same time. It always happened on the same day of the week. I knew of these for a while.
Another big one I have known of for several years. It involves being able to set up ACH transactions from accounts. -
2017-03-24 at 5:59 AM UTC in How is my hacking?I made the top 10 in this article for the largest data breaches of 2016.
http://www.crn.com/slide-shows/security/300083246/the-10-biggest-data-breaches-of-2016.htm/pgno/0/5
I know I was in another one for my 2014 hack of the Oregon Employment Department.
Do you think my latest hacks will get me into one of these top-hack sites for 2017? -
2017-03-24 at 5:47 AM UTC in LIVE HACK with Mr High(Security Hole Is Still Open!)
-
2017-03-24 at 4:32 AM UTC in Over 6,000,000 SSN hacked from 10 websites by MrHighHere are some of the news articles.
http://www.governing.com/topics/mgmt/tns-joblink-hack.html
http://www.idahostatesman.com/news/local/article140230103.html
http://www.tulsaworld.com/news/state/state-website-hacked-personal-info-of-oklahomans-others-compromised/article_32a30814-46e8-5eb6-aa45-5a55dd7b626f.html
http://www.delawareonline.com/story/news/2017/03/22/del-joblink-cite-hacked-200000-exposed/99514074/
http://www.wmtw.com/article/maine-jobs-website-hacked-personal-data-may-be-compromised-officials-say/9172427
There was no malware involved in this. It was a security hole in the web application. I also hacked a website in West Virginia.
I know of more. -
2017-03-24 at 4:31 AM UTC in LIVE HACK with Mr High(Security Hole Is Still Open!)This is a live security hole in a fishing license website. I am going to give exact instructions on how to pull personal information out of this website. This security hole is a very easy one and doesn't require any special software. All you need is a browser.
The website is https://wvhunt.com
0. Register an account. This doesn't require an email address to verify. Make sure to remember your login and password because you will have to login after making the account.
1. Click on the View Order History button from the main menu.
2. Change the number in the URL to a different number.
3. Keep changing it if it does not reveal any license information.
4. Click on any of the Select buttons.
5. Click the Home button. You will notice that the name on the right side is now a different person's name.
Sometimes the last step will take you directly into the registration area. You will see the person's date of birth. After clicking the next button you will see their social security number.
If you look at the source code you will be able to see the person's driver's license information and other personal information.
I obtained these quantities from this.
SSN = 132,624
DL = 256,568
This site may be monitored. They caught on to my last hack and I was hacking this site beforehand. They may know about it. But the security hole is still open as of right now. -
2017-03-15 at 6:21 PM UTC in Over 6,000,000 SSN hacked from 10 websites by MrHighThese are the urls that lead to the webservers that were hacked.
joblink.alabama.gov
azjobconnection.gov
arjoblink.arkansas.gov
joblink.delaware.gov
idahoworks.gov
illinoisjoblink.illinois.gov
kansasworks.com
joblink.maine.gov
okjobmatch.com
vermontjoblink.com -
2017-03-15 at 6:12 AM UTC in Over 6,000,000 SSN hacked from 10 websites by MrHighI found an easy security issue in a network of websites and was able to obtain over six million names, dob, and ssn. In the midst of pulling the data from the servers the admin must have noticed a large number of requests and investigated. The admin banned all of my accounts and fix the error. I estimate that it would have been over 10 million. I got over half of what I expected. I have not contacted the admin yet. I am going to wait and see if the US government announces it to the public. These were all government websites and most ended with .gov. The people were ordinary citizens using a certain service.
These are the totals from each state.
Alabama = 1,394,018
Arizona = 891,820
Arkansas = 597,242
Delaware = 236,293
Idaho = 151,992
Illinois = 1,235,564
Kansas = 647,230
Maine = 283,558
Oklahoma = 862,278
Vermont = 183,536
I know of several other security holes in government websites. That is all for now.
Your dearest friend,
MrHigh -
2016-11-25 at 7:35 AM UTC in Address Dumpi gave out the senator of Washington info here -> http://pwoah7foa6au2pul.onion/forum/index.php?threads/united-states-senator-of-washington-state-patty-murray-last-four-digits-of-ssn.113553/
-
2016-11-25 at 7:15 AM UTC in Address Dumpa personal information discussion. i like.
here is the governor of Idaho->
C.L. BUTCH OTTER
1009 S. STAR RD.
STAR, IDAHO 83669
SSN: 519381282
DOB: 05/03/1942
DL: ZA121664C(IDAHO)
HEIGHT: 6' 3"
WEIGHT: 195
EYE COLOR: BLUE
HAIR COLOR: BROWN
here is the governor of Kentucky->
MATTHEW BEVIN
531 BARBERRY LANE
LOUISVILLE, KY 40206
SSN(LAST 4): 0827
DOB: 1/9/1967
EMAIL: MBEVIN@BEVINBELLS.COM
HOME PHONE: (502) 727-0258 -
2016-09-07 at 7:12 AM UTC in Hacking StyleIs my hacking style stupid?
I hack websites. I pull millions of pieces of PI from these websites. Within a thread I announce publicly that I am going to report them soon. Then I report them and update my thread listing the exact websites. I do wait until the websites have been fixed before listing them within the thread. Then I prove that I did indeed hack the site by giving out free PI.
Should I change this up in some way? -
2016-09-03 at 11:16 PM UTC in Homeland Security
they didn't use sessions or anything, just allowed you to access data by guessing IDs in the post data or URL? fuck off.
Yes. I think some were parameters within a cookie. POST/GET. There's a little more to it though. Some I could only get certain pieces of info and then I used that info to get more info. Fun little puzzles.
-
2016-09-02 at 4:38 AM UTC in Homeland SecurityWe are in the news.
http://www.idahostatesman.com/news/politics-government/state-politics/article99395062.htmlHack that hit Idaho Fish and Game involved 6.5 million users in four states
Outdated security was the cause of a data breach in Idaho and three other states, but it’s not clear whether the hacker responsible actually stole information, or even wanted to.
The first indication that a hacker might have accessed personal data on the online licensing website used by Idaho Fish and Game came late on Monday, Aug. 25. The vendor that runs the service patched the vulnerability the same day.
Separately, Idaho Fish and Game learned of the potential breach through the Department of Homeland Security on Tuesday. The site was promptly shuttered and the public put on notice.
By then, authorities and site operators knew that the hacker, using the handle Mr. High, had boasted of accessing personal information for as many as 6.5 million people in Idaho, Washington, Oregon and Kentucky.
Mr. High had actually announced his gambit the Friday before, Aug. 19, on a cheekily named online forumaccessible from any web browser.
To date, authorities still don’t know whether the hacker actually downloaded any information. And theft, it seems, might not have been the motivation. (The Statesman is referring to the hacker as male, given the handle he used.)
Instead, the breach might have been the hacker’s call to action.
“On Monday I’m going to report five security holes,†he wrote on the forum site Friday, saying he planned to reach out then “to the administrators and to random people like the FBI.â€
The licensing sites used by Washington, Oregon and Idaho are contracted to a third-party vendor. Kentucky’s system is in-house. Despite Mr. High’s reference to five security holes, the hacker has not identified a fifth system.
“I’m only reporting the sites that I’ve already worked. The rest stay open for business,†he wrote.
On Monday, Mr. High wrote again on the forum and also on betaBay, a marketplace site on the anonymous, encrypted part of the internet known as the dark web.
“This should make the news,†the hacker wrote. “I’ll list the exact websites once the security hole is patched and/or it makes the news.â€
About 10 hours later, he named the target sites and what he had obtained: personal information for 2.4 million users in Washington, 2.1 million in Kentucky, 1.2 million in Oregon and 788,000 in Idaho. The data included names and addresses, dates of birth, driver’s license numbers, partial Social Security numbers, email addresses and phone numbers, and personal details such as height, weight and hair color.
In his forum message, the hacker said Kentucky’s site administrator, when contacted about the vulnerability, “replied quickly†and “was thankful†for the notification. He said he also contacted “a couple hacking news sites.†At least one security blogger picked up on the hack.
The other licensing sites are managed by Dallas-based Active Network, a data analytics firm that manages cloud-based event and activity registration and payment services for clients. The company says it processes 100 million registrations and $3 billion in payments annually for 42,000 clients and 650,000 activities.
It handles Idaho’s Parks and Recreation reservation system, but that is separate from the Fish and Game licensing site and was not affected by the breach.
Active Network, through a Washington, D.C.-based PR firm, has declined comment beyond an initial statement. The company said it patched the weakness “within 15 hours†and has engaged a “top-tier cybersecurity firm to conduct a review.â€
The FBI and Department of Homeland Security are investigating as well.
The exploit, systems experts said, involved a weakness in the front end of the licensing sites — that is, the actual web page users visit to input information.
The weakness meant that a malicious user could gain access to data by inputting the ID assigned to a user upon registering on the site. Older user IDs were numeric only; later, users received more secure betanumeric IDs, among other security upgrades. In the case of Idaho, only users who signed up in 2008 or earlier and received a numeric ID were at risk.
A hacker could write a fairly straightforward computer script to access individual records for thousands of users in sequence, covering his tracks by hiding his internet address and by obtaining the information gradually over time.
And the exploit might have been open to the hacker for months: Mr. High posted about accessing data as early as March.
When Fish and Game technical staff attempted the exploit based on the hacker’s information, their test “didn’t retrieve all the information that the hacker claimed to have gotten,†said Greg Zickau, Idaho’s chief technology officer. “It’s not confirmed that he was able to get some of the things that he claimed and how long it would have taken for him to get the volume of records that he claims to have had.â€
If officials want to prosecute the hack as a crime, that would have to occur in the state where the data resides — in this case, Texas.
Idaho’s state systems have suffered relatively minor cybervandalism in recent years, Zickau said, including website defacements; “ransomware,†a type of malware that attempts to lock out a user until a payment is made; and denial-of-service attacks, in which websites are inundated with simultaneous page-view requests to the point where they are unable to load for legitimate users.
“We’re constantly being scanned, and relatively constantly under some level of attack with varying levels of success,†Zickau said.
The Idaho system will remain offline pending thorough third-party testing.
Bill Dentzer: 208-377-6438, @IDSBillD
Identity theft: What you can do
Idaho Fish and Game says the vendor that manages its licensing website will contact users whose data might have been accessed in the recent site hack.
Concerned about identify theft? The Federal Trade Commission hosts a number of resources.
For information on prevention, visit ftc.gov/idtheft.
To report identity theft, visit identitytheft.gov. -
2016-09-02 at 4:36 AM UTC in Homeland SecurityLets pretend that hack some web servers and stole over 6.5 million pieces of person information. Well also pretend that I hacked one a year and a half ago and got over a million SSN.
-
2016-09-02 at 4:19 AM UTC in I miss intosancI miss my private chats with Arnox.