Cloud-based video downloading service Dirpy leaks sensitive data about its users, putting them at risk of all kinds of cyber attacks.
Cybersecurity researchers from Cyber news revealed how they found an open Kibana instance with 15.7 million entries of private data in late March 2024. The data includes people’s IP addresses, account IDs of people with Premium User accounts, activity logs, including what videos the users downloaded, URLs of the requested content, and diagnostic information for users.
We don’t know exactly how many people were affected by the breach, but we do know that the majority of Dirpy users are based in the US and Japan.
Extorting the victims
Cyber news determined that the Kibana instance belonged to Dirpy, an online tool that allows users to convert and download online videos, specifically from YouTube. The videos can be converted to various formats including .MP3 (audio) and .MP4 (video). The researchers informed Dirpy of their findings, who shortly thereafter closed the database to the public. The private data was available for over a month, between March 18 and April 24, 2024.
We do not know if malicious third parties have previously found and downloaded the database Cyber newsteam did.
Although downloading video content from these platforms without express permission from the authors is illegal, Cyber news emphasizes that its use for personal, non-commercial use is legal.
That said, there are ways hackers could have used the database. Apart from the usual phishing, identity theft or social engineering attacks, the attackers could theoretically discover the identities of the people who downloaded adult content, pornographic content or otherwise compromising content.
This information could then be used in extortion attacks, blackmailing people into giving away cryptocurrency in exchange for keeping the information private, as poorly secured databases are one of the most common causes of data breaches.