Hole blasted in Guntrader: UK firearms sales website's CRM database breached, 111,000 users' info spilled online

Criminals have hacked into a Gumtree-style website used for buying and selling firearms, making off with a 111,000-entry database containing partial information from a CRM product used by gun shops across the UK.

The Guntrader breach earlier this week saw the theft of a SQL database powering both the Guntrader.uk buy-and-sell website and its electronic gun shop register product, comprising about 111,000 users and dating between 2016 and 17 July this year.

The database contains names, mobile phone numbers, email addresses, user geolocation data, and more including bcrypt-hashed passwords. It is a severe breach of privacy not only for Guntrader but for its users: members of the UK's licensed firearms community.

Andrew Barratt, UK MD of infosec biz Coalfire, analysed the database after it was dumped on the RaidForums website. He told The Register: "I suspect it was probably a drive-by style attack. So gut feeling looking at the response from the attackers that they posted on forums, [it was] completely un-targeted, it was kind of very much like 'lol we pulled another site' and then it's like, oh, wow."

Guntrader spokesman Simon Baseley told The Register that Guntrader.uk had emailed all the users affected by the breach on 21 July and issued a further update yesterday.

"The Information Commissioner's Office was informed within hours of the breach being discovered and since then we have been working with them and the other relevant agencies to mitigate whatever impact if any this might have upon Guntrader's users."

Baseley did not answer questions about why Guntrader's website has no information on it about the hack, at the time of writing.

Guntrader is roughly similar to Gumtree: users post ads along with their contact details on the website so potential purchasers can get in touch. Gun shops (known in the UK as "registered firearms dealers" or RFDs) can also use Guntrader's integrated gun register product, which is advertised as offering "end-to-end encryption" and "daily backups", making it (so Guntrader claims) "the most safe and secure gun register system on today's market."

The categories of data in the stolen database are:

• Latitude and longitude data
• First name and last name
• Police force that issued an RFD's certificate
• Phone numbers
• Fax numbers
• bcrypt-hashed passwords
• Postcode
• Postal addresses
• User's IP addresses

Logs of payments were also included, with Coalfire's Barratt explaining that while no credit card numbers were included, something that looks like a SHA-256 hashed string was included in the payment data tables. Other payment information was limited to prices for rifles and shotguns advertised through the site.

Reports on shooting sports websites indicated that Guntrader had blamed an iframe on a customer's website as the point of entry. We have asked for more information about this and will update this article if Guntrader gets back to us.

• Appeals court nixes online blueprint sharing ban on 3D-printed 'ghost guns'
• UK Home Office: We will register thousands of deactivated firearms with no database
• Bloke thrown in the cooler for eight years after 3D-printing gun to dodge weapon ban
• A few reasons why cops haven't immediately shot down London Gatwick airport drone menace

Although it seemed likely that the database contained copies of RFDs' electronic registers and police transfer notifications, Barratt's analysis showed that this was not the case. He told The Register: "There's no evidence of that correspondence in the CRM tables that seem to have been pulled… I suspect the way the product works is upon a transaction taking place, it just generates that message and notifies the local [police] force dynamically" without keeping a record of it.

Barratt also warned that copies of the database being shared online are laced with malware, cautioning shooters not to download it themselves to check if their info is in it (more advice is available towards the end of this article).

Garry Doolan, deputy director of communications for the British Association for Shooting and Conservation, told The Register: "It's likely to be a while before the full implications of this breach are known. We expect a full investigation to provide the detail, but we don't need the outcome of that investigation to tell us that such a breach is a significant concern for shooters."

He added: "The best advice has to be for gun owners to be vigilant and aware of their personal and home security. BASC is working with the National Crime Agency to ensure we can brief our members with the most up-to-date information. If people spot anything suspicious, they should inform the police immediately."

The National Rifle Association and the British Shooting Sports Council are aware of the hack.

Public feelings about the hack at the National Shooting Centre, Bisley Camp, where the National Rifle Association's annual championships is taking place this week, was grim yesterday as some competitors realised their personal data had been obtained by crooks. Some put a brave face on, with one quipping to your correspondent: "They set out to piss off the gun owners? Really?"

What should I do about this?

You can check if your data is included in the hack by visiting Have I Been Pwned and inputting your email address. HIBP is a trusted resource run by Microsoft regional director Troy Hunt.

If you're a shooter, don't be tempted to download the database yourself from the various places it is circulating online. If you've already done that, run a full antivirus scan of whatever devices you opened the file on. If you're not sure what that means, ask a tech-savvy friend or relative for help.

Coalfire's Barrett said the most meaningful security risk resulting from this comes from burglaries, though he pointed out that all lawfully owned firearms and shotguns in the UK are stored in hefty police-approved safes, joking that criminals would need "plasma cutters" to break into secure storage.

If you used the same password on Guntrader that you used on other websites, change it now. Criminals are well known for testing stolen usernames and login information against other popular websites (eg, email services, online banking) to see if they'll work.

While bcrypt is well regarded in the infosec world as a slow-to-crack password encryption and hashing algorithm, it's not invulnerable. This applies especially if you're one of the public figures whose data is said to be in the leaked database. ®