In basic terms, the Usenet system is comprised of thousands of servers around the world where users can post discussions or content, otherwise known as binaries. These banks of servers share this information with other banks, allowing the data to propagate around the world. Having its roots in 1979, it is one of the oldest methods still around to share files on a large scale.
While most Usenet use flies under the radar these days, huge volumes of data are shared on a daily basis. To access this content, users can subscribe to Usenet providers which, for a fee, supply Usenet login credentials allowing often metered access to the ‘newsgroups’. This weekend, however, signs of trouble became evident.
In a post on Obload, a web-based German-language Usenet discussion forum, an administrator alerted users to a serious situation involving the Momentum Usenet client, a software tool used to access Usenet. According to research carried out by a user called ‘Tensai’, Momentum – a relative new-comer to the Usenet scene – not only facilitates access to Usenet but also swipes Usenet users’ login credentials and NZB data and uploads it to a site called Newzbee.
The immediate advice was to stop using Momentum and since users have to enter their Usenet providers’ username and password into Momentum to have it work, immediately change their passwords at their Usenet provider. If true, and to put things another way, this situation is akin to users using a third-party application to access Netflix then have that application steal their Netflix username and password.
TorrentFreak contacted both Momentum and Newzbee on Monday but neither responded to our requests for comment. However, at the same time and quite unusually, another major development was breaking in the Usenet space.
On Usenet1, a site dedicated to Usenet matters, a post revealed that several major Usenet providers and tool operators were experiencing “massive problems”. They included UseNext, Usenet.nl, Gigaflat, plus HolmeZ.com and Momentum Plus, the latter two sites being directly connected to the Momentum client.
Checking UseNext’s and Usenet.nl’s portals revealed both to be completely offline, which is extremely rare for such high-profile suppliers of Usenet access. With the latter reporting nothing, the former has now issued a major security advisory to its substantial customer base.
“Unauthorized persons have accessed our infrastructure via a security hole in a partner company. We are currently analyzing what damage may have occurred. For security reasons, all systems are currently offline,” the company said in a statement.
At the time of writing there is no clear evidence to link the alleged misconduct of the Momentum client with the downtime at major Usenet providers. However, that two serious events have occurred almost simultaneously has set alarm bells ringing and for UseNext, which listed Momentum as a preferred Usenet client on its site (before it was taken down), the implications appear extremely serious.
“There could be a risk that attackers could gain access to your account information. Your name, billing address, payment data such as IBAN and account number and other data that we have processed to carry out your contract are potentially affected. Accessing your bank details puts you at risk of becoming a victim of fraud or identity theft,” the company warns.
While UseNext is advising its users to change their passwords, the ability to do so on UseNext.de doesn’t exist as the site is down. However, there are bigger problems too. If users have duplicated passwords on other sites, they may also be compromised.
“Change your account passwords immediately. Most important are the accounts that are needed to restore other accounts or passwords. If you also use these passwords for other sites, you should change them there too,” UseNext advises.
“Check the settings of your accounts (e.g. automatic forwarding of messages). Any changes indicate unauthorized access. Correct the settings if necessary. If you find that someone is using your identity, please notify the provider of the affected account immediately and have the account blocked.
“Also let friends know about possible identity theft. As of now, watch out for suspicious debits on your accounts. Check your inbox for fraudulent phishing emails. Do not click on any links that appear suspicious to you, but report them,” UseNext adds.
UseNext says it has reported the matter to the authorities but in the meantime, its service will remain down until the company can determine the scale of the breach. Users can contact the company for information via a dedicated hotline.
For now, and at least until the makers of the Momentum client issue a statement, the general advice is to stop using the client and consider any Usenet credentials entered into the software as compromised, including the related Usenet provider accounts. And any other services where passwords were duplicated, of course.
Update: Tim Kuik of Dutch anti-piracy group BREIN says he’s not surprised that something like this has happened.
“My thoughts on reading this are: Par for the course, no honor amongst thieves,” Kuik says.
“Commercial Usenet providers are in it to make money, they copy the uploaded content of users to their own server park and then charge for access. We saw them funding NZB sites and uploaders just to keep the illegal content coming. It does not surprise me that they cannot be trusted.”