The leak was reported yesterday by Daily Dot and confirmed by Goldcorp representatives. Hackers copied a large number of documents and distributed them via torrent.
We performed a quick investigation of the breach and can add and clarify some information, which was not reported to the public.
The information about the data breach first appeared on a Polish justpaste.it website, which is used to publish quick notes (like pastebin). The hackers posted links to 13,7 GB (28,3 GB when uncompressed) archive containing stolen documents from Goldcorp.
The archive contains screenshots of employee’s workstations to prove the actual hack. They were made on September 14, 2015 (according to date on the screenshot), which suggests that hackers had complete access to the network for more than half a year. The leaked information appears to be selected to make it more valuable to the public. The archive contains:
- Internal email correspondence of some employees
- Contract agreements with other companies
- Budget planning for 2016 and previous years
- Personal information with passport scans of certain employee, who was going to apply for permanent visa in Canada
- Information about salaries and bonuses
- Backups of Microsoft SQL databases and some web application
- List of user’s logins and hashed passwords
- List of users in Active Directory (there are a lot of logins, starting with admin*), which appear to be system engineers/administrators.
- A list of all workstations and servers in the network
- A lot of addresses of people and companies
- And more
According to Bloomberg, the hack was an extortion attempt. CEO of Goldcorp David Garofalo discounted the notion that the hackers had ideological motives.
We at Cybersecurity Help agree with Mr. Garofalo on this, because the leaked documents were carefully selected and the hack was performed by professionals with deep understanding of technologies used by Goldcorp (such as Active Directory, SAP, VMWare, etc).
