Ethical hacker Inti De Ceukelaire managed to gain access to sensitive information of Belgian residents by registering expired domain names of government services. He bought 107 different domain names, including those of police zones, hospitals and legal institutions.
De Ceukelaire bought the domain names for about eight euros each, he writes in a blog post. The domain names came from various Belgian public institutions and government services. For example, this concerns 44 OCMWs, or Public Centers for Social Welfare. De Ceukelaire also purchased 32 former domains of police zones, 12 of CAWs, 12 of student guidance centers, 4 of hospitals and 3 of legal institutions, such as local courts. With the domain names in his possession, De Ceukelaire was able to receive emails addressed to the domains in question. The white hat hacker looked up old email addresses of the various domains via public sources. He then looked at whether he could theoretically reset the passwords for popular cloud services.
De Ceukelaire said he managed to identify 848 different email addresses in one week. The hacker successfully obtained the 'password reset' emails for 80 Dropbox accounts, 142 Google Drive accounts, 57 Microsoft, OneDrive and Sharepoint accounts and a dozen Smartschool and Doccle accounts. He did not actually log into these accounts.
The ethical hacker also received hundreds of other messages in a week. This included information about detainees being released, reminders for payment arrears, emails about the health of vulnerable people, insurance reports and more. De Ceukelaire deliberately did not read those emails; the content could be deduced from the topics.
The ethical hacker will try to return the domains to the rightful owners, he tells VRT. De Ceukelaire also recommends that institutions and companies automatically renew domain names, or at least renew them for a period of 'at least ten years', to prevent these types of data leaks.