VirusTotal leaked data of 5,600 registered users

VirusTotal has suffered a data leak that exposed the names and email addresses of 5,600 of its registered users. The leaked data reportedly includes information about employees of US and German intelligence agencies (among others).

VirusTotal data leak exposed exploitable information

Google-owned VirusTotal is a popular online service for analyzing suspicious files and URLs to detect malware and malicious content through antivirus engines and website scanners.

As confirmed by Google to German publication Der Spiegel, at the end of June, a file containing names and email addresses of VirusTotal customers was unintentionally made available on VirusTotal by an employee. Even though the company removed the list within an hour of it getting uploaded, the file was obviously downloaded by at least one user.

Ultimately, it also ended up in the hands of Der Spiegel journalists, who verified that the list is authentic. “Names of government employees appear, and some of those affected can also be found on LinkedIn,” Der Spiegel reporters noted.

The list contains the names and corporate email addresses of 5,600 users who registered the account. Among those are employees at:

• The US Cyber Command (the US military’s hacking unit), the US Department of Justice, the FBI and the US intelligence agency NSA
• Official bodies from the Netherlands, Taiwan and Great Britain
• Many German organizations including the Federal Police, the Federal Criminal Police Office, the Military Counterintelligence Service (MAD) and the Federal Office for Telecommunications Statistics.
• Big German companies (Deutsche Bahn, Bundesbank, Allianz, BMW, Mercedes-Benz, Deutsche Telekom)

Users’ names and e-mail addresses have been leaked, but passwords haven’t.

Still, that’s enough information for threat actors to be able to spear-phish affected individuals, who are obviously responsible for IT security and malware within their organization.

The risk associated with uploading files to VirusTotal

While VirusTotal can be used for free by anyone who wants to check a specific file or URL via a web-based user interface, the paid verson of the service is only available to companies and public sector organizations, allowing them more insight into uploaded samples. The uploaded files are also shared with security companies, professionals and researchers (VirusTotal customers or partners).

Some of the files uploaded by users on VirusTotal may contain sensitive data, as demonstrated by SafeBreach researchers who collected more than 1,000,000 credentials contained in files that info-stealers and keyloggers use (and have been uploaded on VirusTotal).

The German Federal Office for Information Security (BSI) has previously warned organizations against the practice of automatically uploading files to VirusTotal, lest sensitive organizational data ends up in third-party hands (VirusTotal subscribers).

UPDATE (July 21, 2023, 07:30 a.m. ET):

VirusTotal has apologized for the inadvertent leak and reassured affected users that the file was only accessible to company partners and cybersecurity analysts who hold a Premium account with VirusTotal. No anonymous or free account users on VirusTotal had access to the Premium platform.

“This was not the result of a cyber-attack or a vulnerability with VirusTotal. This was a human error, and there were no bad actors involved,” the company added.

“This list of limited customer data was critical to [the employee’s] role. Since this incident, we have implemented new internal processes and technical controls to improve the security and safeguarding of customer data.”