On a forum popular with pirates who want to report their misdeeds and/or resell their loot, an account has been particularly active in recent days: Near2tlg. He offers several databases for sale and even sent a message to explain his motivations and that it is not a single person, but a “ collective ».
Near2tlg: the hacker group’s manifesto
« We managed to infiltrate several computer systems and access a large number of sensitive databases, including those of large companies such as Le Point, SFR, Direct Assurance and Mediboard. In just one week, our recently formed group demonstrated its ability to effectively exploit vulnerabilities in digital infrastructures,” explains the collective in what looks like a manifesto. The message is also repeated on his Telegram channel.
The Near2tlg group claims to have “ already reported security vulnerabilities on the affected sites “. But, instead of responding and correcting the situation, “ these companies preferred to prioritize their profits, accumulating billions in turnover while neglecting the security of their users “. YuroSh, the hacker who claims to be behind the Free hack, also claimed to have sent security alerts to the company.
« We will continue to act until justice is served. We will put to the test all companies that choose to privatize the profits generated at the expense of the security of their users », Explains the group. YuroSh also held a militant speech in its demands, but on a subject other than profits: “ I hate surveillance and think the only way to wake them up is to hack them. Otherwise, things don't change ».
Mediboard: “no data has been sold”… for now
Among the databases put up for sale by Near2TLG, some leaks have already been confirmed by victims. This is the case of our colleagues at Le Point and data from 750,000 patients via Mediboard. The pirates claim in passing that they are not at the origin of the Free leak or that of Auchan.
Concerning Mediboard (the leak of which has been confirmed), Near2tlg asserts (in a message published last night) that no “ data has not been sold ”, but the group launches “ an ultimatum: a payment of $5,000 in Monero [une cryptomonnaie open source, ndlr] within three days, or we will release the entire database ».
Return of SFR data, a copy of which was allegedly sold
The group of hackers also (re)put forward a message to sell stolen SFR data at the beginning of September. 150,000 customers would be affected, with name, email, telephone number, bank name, IBAN and address. A first copy of the data would have been sold, again according to the publication on the forum.
Mediboard: access to data from 1.5 million patients
In the hackers' well-laden bag, there are other things for sale, including access to Mediboard for a ” exclusive control over several establishments »: Luxembourg Center, Alleray-Labrouste Clinic, Jean d'Arc Clinic, Saint-Isabelle Clinic and Thiais Private Hospital. This would open the doors to data from 1.5 million patients.
We contacted the Softway Medical group which, via its subsidiary Openxtrem, offers Mediboard for confirmation and details on this second case, with no return for the moment. We will update the news if the company comes back to us.
Direct Assurance: 15,000 people, including more than 6,000 RIB
Other information on sale, that of Direct Assurance customers. More than 15,000 people would be in their net: 6,137 customers and 9,517 prospects. According to the publication, the hackers used an employee's access to recover the data.
The list of leaked data includes name, email, phone and address in both cases. In the case of customers, the hackers also announce that they sell RIB, bank name and BIC. Important banking data whose leak can have consequences on the victims’ bank accounts.
Direct Assurance confirms the leak
We contacted Direct Assurance this morning. The company confirms the leak to us, both on prospects and customers (with banking data in this case), without being able to validate the figures announced by the hacker for the moment.
The breach comes from an external service provider, whose identity is not specified. Obviously, all necessary measures have been taken to “ block any further data leaks ».
The CNIL has been notified, Direct Assurance tells us (this is also a legal obligation), which is in the process of warning its affected customers of the leak of their personal data.
Access to “Osiris Production” for sale
Let's now move on to “Osiris Production”, the target of which remains quite vague. The hacker presents it as “ a platform used by French public authorities to manage compensation claims in the event of work accidents and occupational illnesses ».
But Osiris Production refers to an extranet of the Ministry of Youth and Sports. The site is currently under maintenance, but it was functional in June 2024 according to the Wayback Machine. The screenshots posted by Near2tlg speak of a “ associative project », which could fit with the Osiris extranet we are talking about.
From 350 to 800 dollars, soon the SNCF’s turn?
On Telegram, the group of pirates announces its prices: 350 dollars for the Point database, 800 dollars for that of SFR, 400 dollars for Direct Assurance… with payment in cryptocurrency exclusively.
The Telegram message ends with a warning shot for another company: “ SNCF, get ready, your turn is coming ».