I leaked the Neon Bank customer data: Speaking with a hacker

When I warned him from a friend, it was 22 hours on Tuesday, 22 Tuesday: “Dude, look” accompanied by a connection. The area in question was a well -known forum in the cyber crime community. Publication stated Data leakage from 30 million customers from Banco Neon.

In fact, the leak was very robust: precision data and personal information were shown with clear and adequate reference to prove the possible accuracy of the content. Also, after a few minutes, I managed to check it The images are really interested in the neon inner system Through the anonymous source working on the field and contacted with the institution. The report was ready.

When I contacted Neon, it was possible to navigate between the following customer data: full name, sex, e -mail, post code, cpf, cpnj, telephone, mobile, profession, mother name, income, balance, account profile, account profile, account number , photo (selfie), document images, purchasing history (eg PIX payment movements), requests, notifications and neon application installed customer’s mobile device model.

Already on 12 Wednesday, at 09:00, The striker who leaked bank data wants to talk to me. He describes himself as “Pegasus,, has already carried out other attacks, a security researcher and you are following what he says.

Our Chat

Tecmundo: What was your motivation for attacking and leakage?

Pegasus: “Dissatisfaction is not financially recognized to find errors. Here, in Brazil, the culture is completely turned upside down. I have already found a lot of violations, when I report, they don’t even answer, they correct the failure and ignore the award. By the way, the reward here is ridiculous. The severe area faults I have discovered for years want to pay a thousand dollars and they still prefer to call me cyber criminals… When I try to report a failure, except ‘extortion’ processes …

Tecmundo: How were you in contact with the bank?

Pegasus: “Look, as you can see, there are 30 million complete data and yesterday I contacted Neon before (10), I talked with the wood and everything, the most difficult way, in fact the only data exposed at this point, the examples I sent and the video … These data are not sold to third parties, I deliver banks or customers to only two people. I paid time, money and mind to this project. Neon and 5 BTC at 5 BTC, they confirmed that they would pay yesterday and nothing! He treats people without committing and without a word. Look, I allowed seven thousand SMS to warn your customers.

OK, We must score some things Before returning to this conversation. First, the award error. These are reward programs for failures and security deficits on websites. In Brazil, many companies are already rewarding security researchers for this assistance, but the program is not as solid as in other countries.

The second point includes a request for payment to Banco Neon the day before the publication of the data. Pegasus sent me the pressure of communication with bank employees and actually had this communication. The demand for five Bitcoin is equivalent to $ 2.8 million r.

Finally, Pegasus claims to send seven thousand SMS messages to the affected customers: “XXXX has leaked your data by Neon! Urgent access: xxxxx ”.

Yes, he has set up a website where customers can check whether or not leak. However, let’s continue to spread the space for now, Banco Neon is about.

Tecmundo: What was the way to access the data?

Pegasus: “I never worked there (Neon Bank). It was an area failure that existed by chance on almost all .br sites. This is a matter of identity.

Tecmundo: Can you talk a little more about this?

Pegasus: “Ask .gov, but there are other tools without it. That’s why I’m talking about identity.

At this point I felt that Pegasus didn’t want to go into much detail. The issue returned to the bank.

Pegasus: “Now a question, how much you think it’s worth it? Calculations only LGPD fine penalties, compensation, lawyers, brand, reliability, make investors. After all, a bank is a matter of trust, no one will leave your money in a place where they do not trust. So how much is the value of such a violation? I have done something wrong so far. To remove data. But here is just like that in Brazil. Because if I had shown them the failure (and I haven’t shown yet), they completely corrected me and ignored me.

Tecmundo: But to prove the leakage, I saw that you show the data of many customers (also in the video) in the forum. Was these customers as an example that was not damaged by the exhibition?

Pegasus: “He was about to draw attention, I knew he was there. Since the Seasa… I have deleted so many publications and video. You know, I didn’t put it on youtube, it’s very limited. Now answer the question: I think that institutions need to be held responsible for this, this is the third day I tried to draw attention to the impact of the damage, I even sent SMS to customers. My intention is not to harm anyone, I would only leave.

Tecmundo: Have you ever thought about the next steps and what could happen now?

Pegasus: Yes, everything is well planned. There are only things that we discover in the battlefield. Unfortunately, I cannot tell you so much about the report that Tecmundo did my job. For now, I can’t define them. I am another project and life that is already following next week. Here I use VPN + Cloud (Russia), there is a VM that uses proxy in the cloud and I use Meu for WhatsApp. This number is here I buy crypto (Moneto).

“About Neon, I hope they will rethink and accept my offer in a smart contract in Ethereum Network. [o contrato foi enviado ao TecMundo]. I hope they warn customers correctly, this is not marketing nonsense. But actually, I don’t know what to happen to them. I hope you get better. And the next time they pay more attention to their commitments.

Tecmundo: So aren’t you afraid to be arrested for something like this?

Pegasus: “No. As I told you, I have been unlimited for more than 10 years, so I have no fear. And since I was underground, read with the benches since I was underground, there are no crystal balls and my saint is strong. “

Tecmundo: Can you tell me a little bit about you? Who are you?

Pegasus: “I love Felipe Ret (including his latest album), I love a message rap, I’m not a countryman fan. But I’m eclectic. I can’t explain my age, I’ve been working with Bounty since 2015, and since 2017, I’ve been doing a lot of work outside of crypto, Brazil, but you know, it’s up to you, you can’t see much fraud, and you can not see much fraud.

Tecmundo: Do ​​you know others with a similar orbit?

Pegasus: “I found friends with mine with mine in my career. This is to find critical and important flaws and they cannot do anything. They are considered cyber criminals by institutions, failures and so on. When I reported it .. And if possible, I want to leave them congratulations. Subzero and Maranhão. My friend, in morality, you want to cry when you see that these friends find the flaws very cool and that they cannot win a good financial prize. Because it is finally recognized. “

Tecmundo: You have difficulty arrested and I have difficulty paying you. Do you believe that the Public Prosecutor’s Office Service or the National Data Protection Agency will take action?

Pegasus: “I hope not to the customers, not mine. Deputy has to protect customers, to encourage justice is their function. If they don’t, I don’t really care, Brazil is not interested in ethical pirates. From my point of view, I love deputies, I work well with them, the federal police, civil police… I did very interesting things for them, there is a lot underground… Something else, the military police I stopped working with, after a while, the people who use my code for illegal espionage in many states, are covered in the streets He set up spy applications on his Android mobile phone.

Tecmundo: This police claims to have established Spyware is a very strong complaint. I need you to talk more about this

Pegasus: “This report is not good. There are people who will know how to define why I see why I am talking about and+b. I arrived at the civil police to condemn this stop and they ignored me. In fact, they put me in the ambulance of the firefighters and me medicines and so on. They injected. God is witnessing what I am talking about. Jesus is the king of the kings.

Following Pegasus’ advice, I kept this point in our conversation and left it for another time. The complaint is strong, and if this really, it requires a special investigation – and yes, let’s look soon.

After this message change, Pegasus deleted the number and ended our communication – Not wanting to leave your own communication e -not wanting to leave your mail, so we will leave: pegasus@pegasus.monster.

Our job is to inform you and make the digital world ready to understand. Therefore, I take some care to you to increase the safety of your cyber life.

• Be careful with incredible offers, promotions or information (if you have questions, if you have questions and call official channels);
• Keep a good antivirus on your mobile and computer (Avast, Kaspersky, Eset, Malwarebytes, etc.);
• Have a authentication factor in all your accounts (if possible, third, without SMS);
• Ask for help: If you have any questions about any link or message, ask someone else to ask you more information;
• Your applications and operating system, especially Chrome, Edge, Firefox, etc. Keep with the latest update with scanners such as.
• Watch financial records on your behalf by the Central Bank registry
• Did I check that the passwords were leaked?
• Use long (more than 12 characters) and complex passwords
• Change your passwords every six months and do not repeat between the services