UPDATE: Site admins contacted Kapustkiy and told him that they are now looking into the breach, with more info to be released at a later time.
Security pentester Kapustkiy has managed to hack the website belonging to a Russian consular department, accessing personal information that includes names, emails, phone numbers, and passport numbers.The website for the Consular Department of the Embassy of the Russian Federation in the Netherlands (ambru.nl) is still up and running at the time of writing this article, and although we’ve contacted the site’s administrators, no response has been offered so far.
Kapustkiy told us that he accessed personal information of approximately 30,000 users, but he decided to leak only some details in order to give the site admins more time to address the breach.
Breach already reported
As usual, he claims the hack isn’t supposed to expose this personal information, but only to help website administrators to boost security and patch vulnerabilities that would allow others to steal details and post them online.Furthermore, Kapustkiy said he also reported the breach to the Russian authorities, but he didn’t receive a response, which makes many wonder how much attention the IT team in charge of the website actually pays to this kind of hacks.
Kapustkiy has been quite busy lately, as he managed to breach other websites as well, including pages belonging to Indian regional councils, Italian government, and Venezuelan army.
In a previous chat, Kapustkiy told us that he’s always trying to get in touch with administrators of the sites he hacks because it wants them to be aware of the vulnerabilities, but it often happens to get no response. In many cases, however, websites are taken down a few days after the breach, which means that users details remain exposed should someone else manage to reproduce the hack.
For the moment, we’re still waiting for a response from the Consular Department of the Embassy of the Russian Federation in the Netherlands, but we don’t expect an answer anytime soon. Without a doubt, however, they’ll become aware of the hack very soon, so the breach could be silently fixed without a public acknowledgment.