Cloud-based video downloader service Dirpy has been found leaking sensitive data on its users, placing them at risk of all sorts of cyberattacks.
Cybersecurity researchers from Cybernews revealed how they found an open Kibana instance with 15.7 million entries of private data in late March 2024. The data included people’s IP addresses, account IDs of those with Premium User accounts, activity logs, including which videos the users downloaded, URLs of the requested content, and user diagnostic information.
We don’t know exactly how many people are affected by the leak, but we do know that the majority of Dirpy’s users are based in the US and Japan.
Extorting the victims
Cybernews determined that the Kibana instance belonged to Dirpy, an online tool that allows users to convert and download online videos, particularly from YouTube. The videos can be converted into different formats, including .MP3 (audio), and .MP4 (video). The researchers notified Dirpy of their findings who, soon after, closed the database for the public. The private data was available for more than a month, between March 18 and April 24 2024.
We don’t know if any malicious third parties found and downloaded the database before Cybernews’ team did.
While downloading video content from these platforms without explicit consent from the authors is illegal, Cybernews stresses, grabbing it for personal, non-commercial use, is legal.
That being said, there are ways hackers could have used the database. Asides from the usual phishing, identity theft, or social engineering attacks, the attackers could, in theory, discover the identity of the people who downloaded adult, pornographic, or otherwise compromising content.
This information could then be used in extortion attacks, blackmailing people into giving away cryptocurrency in exchange for keeping the information private, as poorly protected databases are one of the most common causes of data leaks.