Uncovering a Stalker with Breach Data

In 2019, a client of mine suffered a terrifying case of harassment which lasted many months. It included numerous threatening text messages, countless emails, and two physical package deliveries. It caused her to embrace an anonymous life with a full privacy reboot. She now lives in an anonymous home, and sleeps well at night knowing that no one can find her. However, it understandably has bothered her to not know the identity of her adversary. Today, she knows, and has allowed me to share redacted details about the investigation.

A website called "Get Revenge On Your Ex" (https://www.getrevengeonyourex.com) has been around for over a decade. It is one of many services which will blast text messages and emails to any victim for a small fee. With so many ways to harass people anonymously today, I don't think it is used as much as previous years. However, it has been on my radar for some time. I previously had no evidence this service was used as part of the harassment campaign targeting my client, but I do now. In September 2022, the site was breached and all user data was stolen. The post is below.

Below is the current view of the breached website.

When we digest data breaches, leaks, logs, and ransomware, our offline system immediately queries various client data to identify any new exposure. This new data set hit on my client's cellular telephone number. This breach included a file titled "v2ordersms.txt", which appears to contain every outgoing message sent by this service since 2009. This file includes entries for "phone", "message", and "timestamp". A fictitious entry would appears as follows.

"2025551212,I'm going to kill you,2021-01-01 00:11:49"

I will only display fictitious details throughout this post, but I will include the proper format of data in order to follow along with the investigation. I reviewed our internal reports and verified that the text message from this file matched the threat received by my client, as well as the cellular number associated with the message. This breach included numerous files extracted from the service, but it was difficult to associate a specific message with the suspect who purchased the harassment. While there were files which included the email addresses and plain-text passwords of all customers of this service, I could not immediately tie one account to the threatening texts, emails, or packages received by my client. Therefore, I began analyzing the timestamps.

In the previous example, the message was sent on 2021-01-01 at 00:11:49. I do not know which time zone this was, but I do know the date(s). I also acquired the dates of other messages sent to my client by the unknown suspect. I then opened a file called "v2rawpaypal.txt" from this breach. It contained all PayPal transactions in chronological order. I immediately noticed the following record (modified for privacy).

"2xxxx, "Thu, 01 Jan 2021 13:", Sale value: USD 2.96, Jon Doe, 111 south main, Apt 200, Los Angeles, California, 90000, 717.115.134.94, [email protected], The above payment has been processed. security code comparison - matched postcode comparison"

I immediately accessed the file titled "v2paypal.txt" to compare the purchase with PayPal details from another view, and they matched:

"717.115.134.94, Anonymous SMS, [email protected], 2021-01-01 at 00:17:42"

NOTE: These modified examples simply show the structure. The data I discovered included what appeared to be a real name, email address, and IP address. These entries identified that "[email protected]" from IP Address "717.115.134.94" ordered a fake SMS from this service and paid via PayPal the amount of $2.96. I then compared the orders from additional dates to my report and saw the same person's details each time.  This was much more than a coincidence.

Surely they used a VPN, right? Nope:

"OrgName: Charter Communications Inc Comment: Legacy Time Warner Cable IP Assets"

This doesn't tell me anything about the suspect, but a subpoena would. Unfortunately, I no longer have that power. However, I now have a suspect. I contacted my client and offered the details. She did not recognize the name and email at first, but called me later after she realized it was a man she worked with for a short period of time in 2020. I now feel confident that we know the identity of the suspect. I now let her decide how we proceed.

I post this to highlight the benefits of breach data. While most breaches include damaging details which could harm innocent victims, we occasionally encounter a breach which shares the exposure with criminals who think they are anonymous. I believe these are the successes which should be discussed when the ethics of data access are debated.

Oh, and if you are one of the 71,000 customers of "Get Revenge On Your Ex" who used PayPal to pay for the service, you are extremely exposed. Once online investigators start digging into this data, you may be the one who feels harassed.

The Privacy, Security, & OSINT Show – Episode 285

EPISODE 285-Travel Security Revisited

This week Jason joins me to revisit travel security protocols. If you have travel planned this holiday season, consider our privacy and security tips.

Direct support for this podcast comes from our privacy services, online training, and new books for 2022: Extreme Privacy (4th Edition) and  Open Source Intelligence Techniques (9th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free.

Listen to THIS episode below.

 

Listen to PAST episodes at https://inteltechniques.com/podcast.html

or Subscribe at: RSS / Apple / Stitcher  / Spotify / iHeart / Google


SHOW NOTES:

INTRO:

None

NEWS & UPDATES:

https://www.inteltechniques.net/
OSINT Book
UNREDACTED 005
Google Lens

TRAVEL SECURITY REVISITED:

Backpack Considerations
Building Good Habits
Carry-on vs. Checked
Wallets (Output)
https://slnt.com/discount/IntelTechniques
Interior Pockets
Ground Travel at Destination
Hotel
Dress
Situational Awareness
Cash
Offline Maps
Language


Free Guides: https://inteltechniques.com/links.html

Affiliate Links:
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
Proton VPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=277


The Privacy, Security, & OSINT Show – Episode 284

EPISODE 284-Password Managers & 2FA Revisited

This week I revisit the importance of password managers and 2FA, and offer new Bitwarden strategies for daily usage.

Direct support for this podcast comes from our privacy services, online training, and new books for 2022: Extreme Privacy (4th Edition) and  Open Source Intelligence Techniques (9th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free.

Listen to THIS episode below.

 

Listen to PAST episodes at https://inteltechniques.com/podcast.html

or Subscribe at: RSS / Apple / Stitcher  / Spotify / iHeart / Google


SHOW NOTES:

INTRO:

Password Managers

UPDATES:

None

PASSWORD MANAGERS & 2FA REVISITED:

This week
https://bitwarden.com/
Differences
Comparisons
Usage
Benefits
Trust
2FA
Import
Export
Browses
Sharing
Offline Access
Emergency Access
Summary


Free Guides: https://inteltechniques.com/links.html

Affiliate Links:
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
Proton VPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=277


The Privacy, Security, & OSINT Show – Episode 283

EPISODE 283-Announcements, Updates, & News

This week I offer numerous announcements, updates, and news items related to privacy, security, & OSINT.

Direct support for this podcast comes from our privacy services, online training, and new books for 2022: Extreme Privacy (4th Edition) and  Open Source Intelligence Techniques (9th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free.

Listen to THIS episode below.

 

Listen to PAST episodes at https://inteltechniques.com/podcast.html

or Subscribe at: RSS / Apple / Stitcher  / Spotify / iHeart / Google


SHOW NOTES:

INTRO:

None

ANNOUNCEMENTS:

https://inteltechniques.com/book1.html
Sporadic Shows
https://unredactedmagazine.com/

UPDATES:

Proton Mail Hardware 2FA Correction
https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
https://inteltechniques.com/tools/API.html
MySudo crash
IronVest
Spiderfoot

NEWS:

Medical Breach


Free Guides: https://inteltechniques.com/links.html

Affiliate Links:
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
Proton VPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=277


The Privacy, Security, & OSINT Show – Episode 282

EPISODE 282-Major OSINT Updates

This week I offer numerous new OSINT strategies and their corresponding IntelTechniques tool usage, plus the latest news and updates.

Direct support for this podcast comes from our privacy services, online training, and new books for 2022: Extreme Privacy (4th Edition) and  Open Source Intelligence Techniques (9th Edition). More details can be found at IntelTechniques.com. Thank you for keeping this show ad-free and sponsor-free.

Listen to THIS episode below.

 

Listen to PAST episodes at https://inteltechniques.com/podcast.html

or Subscribe at: RSS / Apple / Stitcher  / Spotify / iHeart / Google


SHOW NOTES:

INTRO:

Jeopardy!

NEWS & UPDATES:

Proton Yubikey
Standard Notes Bug (fixed)
Stealer Logs Lesson
Workbook Theft

MAJOR OSINT UPDATES:

Tor.link
Tweet Beaver
ID Crawl
Acrevalue
FaceCheck
News Radio
Remote Radio


Free Guides: https://inteltechniques.com/links.html

Affiliate Links:
Extreme Privacy (4th): https://amzn.to/3D6aiXp
Proton Mail: https://go.getproton.me/aff_c?offer_id=7&aff_id=1519
Proton VPN: https://go.getproton.me/aff_c?offer_id=26&aff_id=1519&url_id=277