Plaid, a giant in the finance world that was recently valued at $13 billion, paid people $500 each for providing their employer payroll login details, which, if the people were not authorized by their employer to share the credentials, may run afoul of U.S. hacking laws, Motherboard has learned.

The news highlights the interest in payroll data, with various companies launching products centered around the novel dataset. Last week, Motherboard reported on how a company called Argyle was linked to a series of suspicious websites that offered to pay people for their workplace login details.

A Plaid employee asked people to temporarily share access to their payroll login credentials, according to a copy of the message obtained by Motherboard. Plaid confirmed the offer's legitimacy. Plaid gained access to the accounts under its own name and told Motherboard this was part of a pilot program to build "consumer-permissioned tools that make it easier for consumers to securely share their information digitally."

The message said the login credentials were to be used as part of a Plaid test, and asked participants to specify which payroll processor they were on. In responses to the message, the Plaid employee said participants would be paid $500; a responder also specifically mentioned the payroll service Workday.

Plaid told Motherboard 12 people participated in the test and that it was vetted by the company's legal counsel. Plaid added that participants' login credentials have since been deleted and that the test was only open to friends and family of existing Plaid employees.

Plaid provides the APIs for apps such as Venmo, Robinhood, and Coinbase to connect to bank accounts. Visa planned to acquire Plaid for $5.3 billion, before both companies called off the deal in January after the Department of Justice sued to stop the acquisition on antitrust grounds. In April Plaid announced a $425 million Series D funding round, with a company valuation of $13.4 billion. Plaid's new "Income" product, currently in beta, offers to "Verify anyone's income and employment easily." The product is designed at least in part to help lenders confirm a person's income.

Companies across the U.S. use a selection of different payroll services, such as Workday or ADP. These let workers and their employers manage and monitor peoples' pay, tax statements, and other workplace information. Generally, workers do not have blanket authorization from their employers to share corporate login credentials, even if the credentials are for accessing their own work accounts.

Riana Pfefferkorn, research scholar at the Stanford Internet Observatory, said this case "absolutely" could fall under the Computer Fraud and Abuse Act (CFAA), the U.S.'s hacking law. Pfefferkorn pointed to a previous case involving Facebook and another company called Power Ventures, which Facebook users shared their login details with. Power Ventures let users login and manage all of their social media accounts at once.

"The company was deemed to have violated the CFAA nevertheless because it didn't have Facebook's authorization to access Facebook's servers," she told Motherboard in an online chat. In this new example, Plaid would be the party violating the CFAA. Facebook was awarded $79,640 in damages.

Pfefferkorn added she thought there wasn't much risk of a CFAA claim against the individual worker, but they "may have violated their employment contract, which probably says something like 'don't share your goddamn login credentials with people outside the goddamn company, you idiot.'"

Motherboard asked Plaid four times if participants in the program had authorization from their employers to share their login credentials. The first time Plaid said it had no way of knowing. The other times, sent via email, Plaid either ignored or did not directly answer the question.

"Consumers have a right to access their own financial information, including their own payroll data like their paystubs, and should have the choice to use and share this data to manage their financial lives," a Plaid spokesperson told Motherboard in a statement. "Consumers already share their payroll data for many important financial services—to qualify for loans, lease cars or apartments, and more. The research program in question was a voluntary and time-limited pilot program to assist Plaid in building consumer-permissioned tools that make it easier for consumers to securely share their information digitally. Plaid was transparent with the 12 participants about the scope of the program, and received explicit informed consent to act as an authorized agent when participants allowed access to their individual account. Plaid is confident that consent-based sharing of credentials for legitimate purposes where the credentials are used only to access the data of the consenting user is not unlawful."

Subscribe to our cybersecurity podcast CYBER, here.

Carding Mafia, a forum for stealing and trading credit cards has been hacked, exposing almost 300,000 user accounts, according to data breach notification service Have I Been Pwned.

The data breach allegedly exposed the email addresses, IP addresses, usernames, and hashed passwords of 297,744 users. Have I Been Pwned announced the data breach on Tuesday, saying the breach happened last week. 

On the Carding Mafia forum and its public Telegram channel, however, there was no sign that its users have been warned. Carding Mafia has more than 500,000 users, according to the forum's own statistics. The site administrator did not immediately respond to an email asking for comment. 

Troy Hunt, the founder of Have I Been Pwned, told Motherboard that he was able to confirm the hacked database is legitimate. Hunt said that he noticed in the database that there were Mailinator email addresses, a service that allows anyone to create throwaway email addresses. Hunt said that he then inserted those addresses in the forum, using the Forgot Password feature, and he saw that those emails are recognized as valid emails. Usually Mailinator email addresses are created for one purpose and are not reused; the fact that these addresses are contained in the data dump and are also recognized by the forum suggests that the data is legitimate.

Motherboard can confirm that the forum says "you have not entered an email address that we recognize" when trying to use the Forgot Password feature with an email that we have not used to register on the forum. 

"Another 'hacker hacking hackers' story," Hunt said.  

Motherboard has not seen the data, and we are unable to independently confirm the breach. 

On another hacking forum, a user was advertising the data allegedly stolen from Carding Mafia on January 27 of this year. 

This is the latest example of forums that cater to hackers or cybercriminals getting hacked. In 2017, hackers stole the database of a hacking forum called Darkode right after it opened. The infamous OGUSERS forum, where people traded stolen Instagram and other social media accounts, has been hacked twice, in 2019, and 2020. More recently, security journalist Brian Krebs reported that three of the most important Russian-language cybercrime forums have been hacked over the span of three weeks. 

In all of these cases, the hacked user information can be used to link pseudonymous users across different forums. Law enforcement agencies could also use the stolen data to try to identify criminals hiding behind those nicknames.

Subscribe to our cybersecurity podcast CYBER, here.

FireEye, a top-end cybersecurity firm that works to protect government and corporate systems alike, itself announced on Tuesday it was the target of what it described as hackers from "a nation with top-tier offensive capabilities," with the hackers stealing FireEye's own offensive tools which could be used for future hacking operations.

The news highlights how those in the cybersecurity industry can also be the target of hackers, and in particular, those who may hold valuable hacking techniques.

"This attack is different from the tens of thousands of incidents we have responded to throughout the years," FireEye CEO Kevin Mandia wrote in a blog post. "The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past."

Specifically, the announcement said FireEye found the hackers stole "Red Team assessment tools," tools that are used to offensively test systems' security for the benefit of customers who want to make sure that their defenses could withstand a real attack. In response, FireEye released methods for detecting the use of such tools, presumably in case the hackers decide to use them in the future.

"We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools," Mandia's post added.

The FireEye announcement added that the attacker primarily sought out information related to "certain government customers."

"While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements or the metadata collected by our products in our dynamic threat intelligence systems," it added.

The case bears some similarities to that of a theft of offensive hacking tools used by the NSA. In 2016, a group of self-described hackers calling themselves the Shadow Brokers started to publicly release powerful exploits stolen from the agency. Microsoft issued patches for a number of the underlying vulnerabilities, but other hackers were still able to adapt and use the exploits for their own purposes. Famously, the WannaCry ransomware attack, which devastated networks across the world, including in hospitals, made use of code the Shadow Brokers released. Multiple private and government entities have attributed the WannaCry attacks to hackers working on behalf of North Korea.

The Shadow Brokers dump included zero day exploits, which take advantage of vulnerabilities which, at the time of release, impacted manufacturers were not aware of, and so couldn't create a patch. FireEye's announcement said its own stolen toolkit did not include zero day exploits.

FireEye has been involved in responding to some of the most high profile hacks stretching back years, including Sony, Equifax, and Anthem.

"We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers. As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely," Senator Mark Warner said in a statement reacting to news of the hack.

An online tool lets customers pay to unmask the phone numbers of Facebook users that liked a specific Page, and the underlying dataset appears to be separate from the 500 million account database that made headlines this week, signifying another data breach or large scale scraping of Facebook users' data, Motherboard has found.

Motherboard verified the tool, which comes in the form of a bot on the social network and messaging platform Telegram, outputs accurate phone numbers of Facebook users that aren't included in the dataset of 500 million users. The data also appears to be different to another Telegram bot outputting Facebook phone numbers that Motherboard first reported on in January.

"Hello, can you tell me how you got my number?" one person included in the dataset asked Motherboard when reached for comment. "Omg, this is insane," they added. Another person returned Motherboard's call and, after confirming their name, said "If you have my number then yes it seems the data is accurate."

A description for the bot reads "The bot give [sic] out the phone numbers of users who have liked the Facebook page."

To use the bot, customers need to first identify the unique identification code of the Facebook Page they want to get phone numbers from, be that a band, restaurant, or any other sort of Page. This is possible with at least one free to use website. From there, customers enter that code into the bot, which provides a cost of the data in U.S. dollars and the option to proceed with the purchase, according to Motherboard's tests. A Page with tens of thousands of likes from Facebook users can cost a few hundred dollars, the bot shows. The data for Motherboard's own Page would return 134,803 results and cost $539, for example.

The bot offers the data for free if the Page has under 100 likes. Motherboard provided the bot with several Pages with a low user count and obtained the corresponding data. The bot provides a simple spreadsheet file with the Facebook user's full name, phone number, and gender. The bot does not necessarily provide data on all users who liked the Page; for a Page with around 50 likes, the bot provided a spreadsheet of under 10 users.

Motherboard took names in the spreadsheet, found the person's corresponding Facebook profile, and verified that they did like the specific Page (at the time of writing, although Facebook Pages shows how many users liked them, it is not possible to directly see who the users are unless they are already your Facebook Friends). None of the Facebook profiles Motherboard viewed publicly displayed their phone number at the time of writing. But the phone numbers provided by the bot appear accurate. In one case, Motherboard added the number as a contact in a phone, and on WhatsApp saw a profile image identical to the one on the users' Facebook account. The data appears to be historical: when Motherboard used one of our own Facebook accounts with a linked phone number to like multiple Pages, our phone number did not appear in the bot's results. The bot does not return data on all Pages, according to Motherboard's tests.

Motherboard then took phone numbers from the Telegram bot and entered them into Have I Been Pwned, a breach notification service run by security researcher Troy Hunt, who has uploaded the database of 500 million Facebook users into the service. None of the numbers Motherboard tested appeared in that dataset, according to Have I Been Pwned tests. 

Motherboard also shared the data obtained from the bot with Alon Gal, co-founder and CTO of cybersecurity intelligence firm Hudson Rock who first tweeted about the recent 500m dataset. He said that none of the numbers obtained from the bot appear in the 500m dataset.

Gal said he also used Facebook's forgotten password mechanism to show that the numbers were linked to real Facebook accounts. In some cases after entering the phone number into the forgotten password field, Facebook returned a redacted version of the name of the user. This corresponded to the spreadsheets obtained by Motherboard from the bot: "T… S…" relates to a name in the spreadsheets beginning with those letters, Motherboard found when replicating that test.

When Motherboard reported on a separate Telegram bot that let customers input a user ID and receive the Facebook user's phone number, we uncovered the phone number of a user who deliberately tries to keep their number private. That number did not appear in tests with the new Telegram bot either. Gal said he also checked the new bot's data with another previous data breach and only one number out of all those tested overlapped.

"What threat actors would want to do with it is extract specific niche pages and have them sold as "leads'," Gal said when Motherboard showed him the new bot. "For instance, extract the 'Bitcoin UK' group and convert them to a list of phone numbers read to be sold as leads to companies, quite a lucrative business."

Facebook did not immediately respond to a request for comment. The 500 million dataset was built by attackers exploiting an issue with Facebook's contact import feature, Facebook has said. Facebook has deflected responsibility for that data dump, writing in a blog post "While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly."

Telegram did not immediately respond to a request for comment.

Jason Koebler contributed reporting to this piece.

Subscribe to our cybersecurity podcast CYBER, here.