comments 106

SayaKenaHack.com

On the 19th of October, Lowyat.net reported that a user was selling the personal data of MILLIONS of Malaysians on their forum. Shortly after, the article was taken down on the request of the MCMC, only to put up again, a couple of days later.

Lowyat later reported that a total of 46.2 Million phone numbers were exposed,  and the data included IC numbers, Addresses, IMSI, IMEI and SIM numbers as well. In short, a lot of data from a lot of people.

So Malaysia joined the ranks of The Phillipines, Turkey and South Africa to have data on their entire population leaked on the internet. [Spoiler alert: This is not a good thing]

Where can I check?

You can head over to a site I created: sayakenahack.com to check if you’re part of the breach. So far I’ve loaded data from Maxis, Digi, Celcom and UMobile onto the site. I’ll be adding the smaller telcos later this week (stay tuned).

Medical council, etc…I’m still debating whether I should put that in. Maybe some doctors don’t want to be identified as doctors, so that data stays out for now.

Waah… That means you downloaded illegal data?

Technically yes, the data might be illegal. But any geek can find it online, it’s a google search away.

I’m just making the data available to the ‘normals’, people who don’t look around in hacker forums.

Plus all data is masked, so only the first 4 and last 2 digits of the phone number is available. Which is almost as good as the masking of credit card numbers on your printed receipts.

I also don’t publish any names or addresses. If you’re unhappy with this, you should be unhappy with the Election Commission website that publishes your name in FULL on their website upon entering just an IC number. Similar to PTPTN etc.

Did you pay for the Data?

No. Contrary to what’s being reported the data is available for FREE online. Even the ‘hacker’ who was selling it on Lowyat was basically a re-seller.

I did not pay for the data, I would never validate the business case of reselling stolen data.

If I search for my IC, will you log my data?

No.

In technical terms, I’ve switched of logging for my API Gateway, CloudFront & Lambda.

If I wanted your data — I wouldn’t need you to search for you. I already have it.

OMG I’m breached !!! What can I do?

Unfortunately, there’s little you can do.

Your IC number is a permanent fixture of your life –and can’t be changed. This is bad design, but it’s the design we have at the moment.

If you lose your Phone Number, Credit Card details or E-mail address, you’d still have some form of mitigating the damage. But if someone gets your IC number, you can’t go to the NRD and get them to issue you a new one.

To be fair IC numbers (in their modern form) are at least 25 years old, so I’m not blaming anyone — but the reality is that we should either stop using IC numbers so extensively , or find some way to make them mutable. Not and easy task, but until that happens the damage of this leak will continue… in perpetuity.

Now onto the good news!

The leak is from 2014, so the chances of you having the same phone is minuscule. I know of only one person whose phone is older than 3 years old, everybody else has changed their phone. So IMEI numbers (which are tied to your phones) from 2014 are pretty useless.

IMSI and SIM are almost the same as well. Over the past 3 years, I’m almost certain a large percentage of the victims (50-80%) would have their sim cards swapped — primarily from buying a new phone that required a micro or nano sim or from porting telcos, or just losing their phones.

What’s not so good is the fact that most people still keep their Name, Address and Phone Number. So those are the top 3 (4 if you count IC Numbers) data elements in the breach, and unfortunately their almost all there.

Where did the data come from?

Well……

The breach includes not just Telco data but Jobstreet and various other sources as well. Let’s just focus on Telco because that’s the big one.

There’s only 2 possibilities on where the telco data came from:

  • Someone hacked into individuals telcos and took it; or
  • Someone hacked a central source with all the data

Now, consider that all Telco’s are in this breach — including Altel, PLDT, Redtone, etc. Which self-respecting hacker, with the skills to hack Maxis, Digi and Celcom, is going to waste time on Altel? Really?!

Consider also, that if you downloaded the data, (which I obviously have), it’s clear as day where the leak came from. It’s so clear, Stevie Wonder can see where the data was leaked from.

I’m hoping over the next few days somebody somewhere will make an announcement.

In the mean-time stay safe Malaysia.

End notes and Special Thanks

Thanks to Bin Hong for alerting me that I had a few logs on the GitHub repository. I’ve torn down the old repo and created a new one.

Thanks to Ang YC for letting me know I gave too much info to folks.

Thanks to **rax***n for sharing the data on the *ahem* site.

Thanks to Ridhwan Daud for correcting my API spelling. (it’s case sensitive).

All data available on sayakenahack.com is available somewhere on the web. I’m just making sure that it’s not just geeks/hackers who have this data, but the average citizen can also be informed if they’re part of the leak.

I’m especially proud of the architecture underlying sayakenahack. It’s completely serverless, and I’ll make a post about it soon. But learning DynamoDB and about a gazillion AWS services to deploy this was both fun and tiring.

For now, you can build your own version of sayakenahack with the data, by using the api at:

https://sayakenahack.com/api/v1/pwn?icNum=12345

I’ve changed the API many times. I promised this version is stable for the next 3 months.

The api is CORS enabled, so you can call it with javascript on your browser. There’s only one endpoint for now, I’ll documenting the API and will publish some documentation soon.

I spent a good 40+ hours building all of this, the code is mostly available on my GIT repository. Couple of elements aren’t there (lambda function to query DynamoDB) — but I’ll upload that when time permits.

106 Comments

  1. Anonymous

    What assurance do I have that this isn’t just another way for someone, perhaps even you, to steal my data? As it is, I’ve been getting phone calls from weird numbers

  2. Shafique

    Thanks for this! I found you when I was trying to ‘hack’ into my tm unifi router. Hehe. You provide excellent information and easy to understand too. You inspire me to delve into coding more now. Thanks again! Cheers

  3. Fabian

    Can you introduce a safe way to reverse lookup spammer? That might reduce possiblity of spammer coming from local number and most people can safely ignore weird international number.

  4. tester

    SayaKenaHack.com
    Check if your IC Number that has been compromised in the telco breach

    IC Number (no dashes or spaces)*
    000000000000
    CHECK

    Oh-oh! You’ve been pwned
    Your IC number is in the breach, and tied to the following phone numbers:

    Telco: Celcom
    Number: 013*****33

    Telco: Celcom
    Number: 013*****37

    Telco: Celcom
    Number: 013*****43

    Telco: Celcom
    Number: 013*****50

    Telco: Celcom
    Number: 013*****54

    Telco: Celcom
    Number: 013*****63

    Telco: Celcom
    Number: 013*****94

    Telco: Celcom
    Number: 014*****20

    Telco: Celcom
    Number: 014*****23

    Telco: Celcom
    Number: 019*****01

  5. IAmTheTerrorThatFapsInTheNight

    With respect to the info on doctors, perhaps at least put a message saying something like “If you are a doctor or registered with the Malaysian Medical Association since so-and-so date, the following data from the MMA is also in the leak: MMA registration number, etc, etc”. That way, those who need to know that their data is at risk will know, and those who don’t want to be identified as medical professionals wouldn’t be identified by someone entering their IC number.

  6. Anonymous

    cun bro article mantap!!.. bru2 nie cimb plak yg kena, tp yg paling x risau tuu diorng kata tape yg diorng backup tu xde kata laluan ngan benda yg penting so ok lah.. sbr je la ye

  7. Vektor Dynamik

    Thanks Keith for sharing and making the database access user-friendly for us regular Joes. With the recent issues on data leaks on both this massive personal particulars leak from those aforementioned companies in the article, and the CIMB Bank data tapes theft, we are now entering dangerous waters right here in Malaysia. Let’s hope that all large corporations can better secure their data and take pre-emptive steps to prevent any thefts or hacks from happening. I understand that there’s no foolproof method, but it is what we do from here on that matters. Speaking of which, being upfront and giving clarity on such situations are vital to the public eye. CIMB’s move to create a special FAQ section on their site for the stolen tapes incident – is something exemplary that not many companies would do. And let’s hope the aforementioned companies in the hack mentioned in the article can be just as honest as CIMB.

  8. Anonymous

    Hi Keith,

    I’ve checked mine. The results as below:

    Data exposed: IC Number, Mobile Number, Name, Billing Address, IMSI, IMEI, SIM Number, Phone Number

    Could you please define “Phone Number” terminology? Does it mean all phone records in that sim?

  9. Anonymous

    can i just ask the telco to terminate the phone number registered under my IC but doesnt belong to me?
    Anyone can answer this? I will be going to my telco to find out soon

  10. M'sian in S'gor

    Hi Keith,
    1st off, thx for the work and this site.
    My results show I’ve been pwnd, but I also notice that the numbers could be the numbers that I’m already having with Mxs. 1 main line & 3 supplementary lines.
    Is this also possible??

  11. Tahir Jaafar

    Hi, can i go to telco provider and make them delete/ban the number that were registered under my name? What is your advise on this?
    Thanks in advance.

  12. Anonymous

    Oh-oh! You’ve been pwned
    Your IC number is in the breach, and tied to the following Accounts.
    Data is from 2014 and only the registered owner of the account is affected.

    Telco: Celcom
    Number: 013*****22
    Data exposed: IC Number, Mobile Number, Address

    Telco: Celcom
    Number: 019*****02
    Data exposed: IC Number, Mobile Number, Address

    Telco: Celcom
    Number: 019*****74
    Data exposed: IC Number, Mobile Number, Address

    Telco: Celcom
    Number: n.a
    Data exposed: IC Number, Address

    Can I get the phone number details?

  13. Anonymous

    Thanks for the info bro. My numbers were breached as well. Digi and Celcom. But what can we do except to sit and hope nothings happens. Cheers mate.

  14. Anonymous

    Hi Keith, not sure I understand this outcome as below correctly. Could you eloborate to be further and what should I do next?

    Oh-oh! You’ve been pwned
    Your IC number is in the breach, and tied to the following Accounts.
    Data is from 2014 and only the registered owner of the account is affected.

    Telco: Maxis Postpaid
    Number: 6012*****62
    Data exposed: IC Number, Mobile Number, Name, Billing Address, IMSI, IMEI, SIM Number

    Appreciate your prompt reply.

    Thanks.

    • Jeremy

      I will Keith to explain as he might be very busy and swamped at the moment, with other things.

      Basically, your IC number, mobile number, your real full name, billing address where you register your phone address as, IMSI (which is the unique number associated with you on your cellular network which identifies you!), IMEI (which is the unique number associated with your device which identifies your specific device), and your SIM number (which is your specific unique SIM number), has all been breached and leaked and is being sold. So, it’s everything about you and your mobile.

  15. aaa

    My info is breached! I didn’t know from this website though. I wanted to port in my digi to maxis but i couldn’t because my ic was breached. Now blacklisted by U Mobile. Same IC Number, different name and address. The sad thing is U Mobile is not really helpful. Treating me like a genuine blacklister. Issue still not resolved until now.

  16. Prakash

    Hi, i knew someone hacked my hp maxis info and took my frequent call contact from the details. How to know who actually hacked my hp call in and out details?

  17. Anonymous

    Consider also, that if you downloaded the data, (which I obviously have), it’s clear as day where the leak came from. It’s so clear, Stevie Wonder can see where the data was leaked from….. lol at least some humour to lighten this up 🤪🤪

  18. Yong

    Hi Keith,

    I checked mine and there is a mobile number that registered using my IC but does not belong to me. I called the telco per say (DIGI) and they said they can’t find any number registered under my IC and told me that even though the number starts from 016, that doesn’t mean its under DIGI as number porting is very common nowadays. I then proceed to call MCMC and the lady says if you can get the full complete number then she can help to log a case.

    So now the question is
    a) Does this mean i need to call all telco to check?
    b) Can i get the full number ? because sayakenahack website only shows the format of 6016-*****12.

  19. jj

    What if this is just a ploy to get MORE data? I mean, even if the author states his actions/intentions to be genuine, this site is and will be collecting and storing your data you so willingly provide. Think twice, the aforementioned ‘leak’ was in 2014, 3 years ago. Unless your life has been clearly affected by this, there is no reason why you would enter your personal ID number into a website that is so poorly titled, that seems to be a scam itself.

  20. Sheahnee

    What troubles me is that none of these big corps had the decency to apologise for this breach on their customer’s data. If this had happened in the US or UK believe me telcos would be scrambling to rectify this publicly to avoid getting their pants sued. Sadly, some of this is due to ignorance and the tidak-apa attitude of Malaysians.

  21. Anonymous

    I hv just change my phone early this year and iam affected. Few friends of mine also hd their data stolen but when they entered their i/c..it came out their old numbers that not being use anymore. How is that so?

  22. Jack

    Thank you Keith for exposing the vulnerability of our information from telcos otherwise we will be thinking the hack is through our mobile phones. Malaysia apa pun boleh..😢

    • Anonymous

      Hacking individual mobile phone are nearly impossible. Think about the amount of the data leaked, and think again…. how much time need to use to hack and get all those data without being detected by those system and network administrator who working day & night trying to protect their system?

  23. XOXO

    decades of not implementing meritocracy has caused mediocrity to creep up everywhere, including safeguarding the people’s interest.

    Ah well, it is the people who are not demanding enough of meritocracy the first place.

    meanwhile, great brains like Keith, even though I don’t think it’s hard to set up the website once you have the data, has rightfully decided not to live in Malaysia no more. Too bad Malaysia.

    The hackers will enjoy the data for now (actually, regular IT grads with some capability also can)

  24. Anonymous

    I wonder if you could hack into this website which still shows IC of winners of some contest in 2008. Couldnt get them and ask them to pull it down. Not sure if they are dumb or something.

  25. Jason

    I have checked in your website and the below found :

    Oh-oh! You’ve been pwned
    Your IC number is in the breach, and tied to the following Accounts.
    Data is from 2014 and only the registered owner of the account is affected.

    Telco: Digi Postpaid
    Number: 6016*****63
    Data exposed: IC Number, Mobile Number, Name, Billing Address, IMSI, IMEI, SIM Number

    So, what I must do now? Please advise. TQ!

    • Anonymous

      it is mentioned in the article that the data records were leaked in 2014. so if you have new numbers which were registered after 2014, you’re (perhaps) safe.

  26. Anonymous

    should not block / shut down the website sebab dah ada disclaimer kot!!

    the check function is pretty good though, sebab in case I key in my ic number, tapi keluar pulak nombor telepon orang lain. that means my ic number was used to register nombor telefon orang lain. criminal perhaps?!

    without access to this function how can we know about it? call all telco hotline one by one and check? duh

#YourComment