Zeeroq Data Breach

Godlygamer23 · March 22

Hello all,

Today, I received an Identity Monitoring notification through Credit Karma of a data breach of some personal account. When I reviewed the notification, it claimed that I had a data breach at a website called "zeeroq.com" with my email account, and whatever password was chosen. My immediate reaction was to Google "zeeroq" and the first result was a reddit post talking about the same issue from a couple days ago(link). Scrolling down further leads to a medium.com article about the data breach(link).

Here's a screenshot of what I saw within the Credit Karma app:

Spoiler

The aforementioned reddit post has users suggesting that the site was a fake or scam. Scrolling down further does show the zeeroq website. I was very curious about this website, so I decided to fire up a virtual machine of W10, and navigated to the website.

Here is a final screenshot of what I saw:

Spoiler

When I navigated to the original URL, the URL bar within Vivaldi was showing about 3 different link before I ended on the page above. I'll be doing more research on this, but this is more of a PSA for everyone to NOT go to the URL if you see that data breach notification. I don't know what's going on here, but I wonder if CK itself has been breached, and the bad actors are utilizing the platform to attempt to scam people.

Edited March 22 by Godlygamer23
Added medium.com link

Spotty · March 22

3 hours ago, Godlygamer23 said:

Scrolling down further leads to a medium.com article about the data breach(link).

That article is AI generated. It's complete fluff. Look at where it says that the company put out statements and responded to the breach - that never happened. It looks like they asked chatgpt to generate an article about a website called "zeeroq.com" suffering a data breached. It's no more insightful than any generic post about what a data breach is and general advice about you should do.

This did pique my curiosity though.

zeeroq.com did indeed have data exposed in a data breach - or at least a dataset was found that was attributed to it. Leak-lookup.com indexed a databreach for zeeroq.com back in 2022. That was the date leak-lookup indexed it in to their archive (ie. after they found it shared on the dark web) not the date of the original breach.

The dataset contained 231 million records stated to include email addresses and passwords.

Why are you being alerted to this now?

Leak-lookup themselves suffered a databreach in January 2024 and all of the data breaches that they've indexed and stored were stolen. Data breaches from thousands of websites was stolen from leak-lookup

This data stolen from leak-lookup has made its way on the dark web and is being shared, data security monitoring services such as your Credit Karma are finding these datasets that were re-leaked from the leak-lookup breach and alerting their users.

So what is zeeroq.com?

zeeroq.com is currently a parked domain being hosted by a domain parking company called ParkLogic. This company places advertisements on parked (inactive) domains. Most likely the scam message you see when visiting the site advising you that your computer has a virus is an advertisement is being delivered by this domain parking company (probably unknowingly if they don't vet the ads they serve).

Using the waybackmachine we can see prior to 2022 when the breached data was indexed we can see that the zeeroq.com website was being used by a digital marketing and web development agency operating under ZeeroQ branding owned by a company called Nirvign Web Solutions that was founded in 2019 and based out of Jaipur India. https://web.archive.org/web/20200703203023/http://zeeroq.com/

In many cases web development and digital marketing companies operating out of India is really just a fancy name for a spam farm. They even advertise themselves as providing marketing services through "Email Marketing" and "promote your business through [...] social media platforms, forums". In other words; Spam.

Quote

Digital Marketing

We are a team of creative people that loves to share out of the box ideas with the world through innovative contents. Zeeroq helps our customers in building brand identity through Branding solutions, Social Media Marketing, better visibility on Search Engine Page Results, Email Marketing and more.

At Zeeroq, we come up with result-driven strategies to increase your business visibility, online reach, brand awareness and ROI. We promote your business through different digital platforms including Search Engines like Google, Bing and Yahoo, websites, social media platforms, forums and so forth.

Looking at the dataset of 231M records I extremely doubt those were registered users of this digital marketing and web development website. I think one of two things is far more likely.

The dataset was actually hosted on (and stolen from) zeebroq.com. If that digital advertising and web development company really was a spam farm then it's very possible that they were using stolen user data from other websites and breaches for spamming purposes. It's possible Zeeroq was hacked and their collection of user data/credentials was stolen and that dataset/breach that is likely made up of data stolen from various other data breaches was attributed to zeeroq.
[Unlikely] The databreach was incorrectly attributed to zeeroq.com. Whoever posted the data to the dark web attributed the data to that website, possibly to obsfucate the actual source.
- It's possible that hackers took over the zeeroq website at some point to host stolen data they were selling and that's why the breach was attributed to them, but that's also very unlikely.

Since you and many other people on Reddit reporting this aren't aware of what zeeroq is, it's likely not data you provided to them and would be data that was collected from other data breaches. Since it's reported to include passwords it wouldn't be a legitimate data brokerage firm selling personal data that you consented to be sold to marketing agencies in some long ToS when signing up to something. For it to include passwords it would have been obtained illegally. I don't see any legitimate reason for a web development/digital marketing company to have 231M records of usernames and passwords. The only reason they would have that data is if they were using it to spam/scam.

TLDR; Your data was stolen many years ago from some other unknown website. A spam company from India had your username and passwords in a collection of data likely made up from a collection of other data breaches. The spam company was hacked and their collection of data was stolen. A security company that indexes data breaches that have been shared on the dark web found that data breach being shared back in 2022 and added it to their archive. That security company themselves were hacked in 2024 and the data was stolen again. That stolen data was recently shared on the dark web again after the most recent breach and detected by Credit Karma who alerted you of the breach.

Pop your email address in to haveibeenpwned and the Cybernews data leak checker to see a list of known websites your data has been stolen from.

If you're using the same password on other websites you should change them immediately. Use unique passwords for each website and enable 2FA where available.

Spotty · March 22

18 minutes ago, Spotty said:

Looking at the dataset of 231M records I extremely doubt those were registered users of this digital marketing and web development website. I think one of two things is far more likely.

The dataset was actually hosted on (and stolen from) zeebroq.com. If that digital advertising and web development company really was a spam farm then it's very possible that they were using stolen user data from other websites and breaches for spamming purposes. It's possible Zeeroq was hacked and their collection of user data/credentials was stolen and that dataset/breach that is likely made up of data stolen from various other data breaches was attributed to zeeroq.

[Unlikely] The databreach was incorrectly attributed to zeeroq.com. Whoever posted the data to the dark web attributed the data to that website, possibly to obsfucate the actual source.

It's possible that hackers took over the zeeroq website at some point to host stolen data they were selling and that's why the breach was attributed to them, but that's also very unlikely.

I have found that back in 2020 there were several pastes of user credentials (lists of emails & passwords) hosted on the zeeroq website.

demo.zeeroq.com/email/combos.vip-googlemail.com.txt

demo.zeeroq.com/email/combos.vip-icloud.com.txt

demo.zeeroq.com/email/combos.vip-comcast.net.txt

[apparently there were more collections of data hosted there but with the website down and going off of forum posts from people discussing the pastes that's all I can easily find]

It's still possible that these were collections of credentials that zeeroq were using themselves and they were just careless in the way they hosted and managed the data which allowed it to be publicly accessible on their site, but it's also possible that it could have been somebody else (ie. a hacker) using the zeeroq website to host these collections of data.
Either way the moral of the story is once your email & password gets out there it will continue to get shared around for years and recycled in to new collections.

Edited March 22 by Spotty

Godlygamer23 · March 22

12 minutes ago, Spotty said:

I have found that back in 2020 there were several pastes of user credentials (lists of emails & passwords) hosted on the zeeroq website.

demo.zeeroq.com/email/combos.vip-googlemail.com.txt

demo.zeeroq.com/email/combos.vip-icloud.com.txt

demo.zeeroq.com/email/combos.vip-comcast.net.txt

[apparently there were more collections of data hosted there but with the website down and going off of forum posts from people discussing the pastes that's all I can easily find]

It's still possible that these were collections of credentials that zeeroq were using themselves, but it's also possible that it could have been somebody else using the zeeroq website to host these collections of data.
Either way the moral of the story is once your email & password gets out there it will continue to get shared around for years and recycled in to new collections.

Yeah, I figured the medium.com article was generated by AI, at least somewhat, especially with the comment at the bottom of said article.

So I did put my email into https://haveibeenpwned.com and found "demo.zeeroq.com" came up - date of occurrence is unknown, but this data breach apparently goes back to January 2024, per my screenshot, and as you mentioned, the data may have been stolen already and that was simply when it was detected.

Spotty · March 22

2 minutes ago, Godlygamer23 said:

So I did put my email into https://haveibeenpwned.com and found "demo.zeeroq.com" came up - date of occurrence is unknown, but this data breach apparently goes back to January 2024, per my screenshot, and as you mentioned, the data may have been stolen already and that was simply when it was detected.

Yeah, it was re-leaked in the leak-lookup breach that occurred in January 2024.

https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

The demo.zeeroq paste was detected July 2020. Leak-lookup entered it in to their database in August 2022. Leak-lookup was hacked in January 2024.

The data leaked on zeeroq in July 2020 is a collection of data stolen from other breaches. Your data was originally stolen from an unknown website some time prior to July 2020.

Credit Karma was unaware of the demo.zeeroq paste from July 2020 despite it being a known and documented paste which had been indexed by haveibeenpwned (unknown when) and leak-lookup (August 2022). Credit Karma is only seeing it for the first time from the January 2024 leak-lookup breach when the same data was exposed again.