The Black Shadow hacking group on Tuesday uploaded what it said was the full database of personal user information from the Atraf website, an LGBTQ dating service and nightlife index.
The group uploaded the file to a channel on the Telegram messaging app after a ransom demand of $1 million in digital currency to prevent the leak was apparently not paid.
The group wrote, in broken English, “48 hours ended! Nobody send us money. This is not the end, we have more plan.”
The group also posted screenshots of what it said were negotiations over the ransom. In the images of the conversations, Black Shadow supposedly refuses a ransom of $500,000. CyberServe denied negotiating with the hackers.
Black Shadow is a group of Iran-linked hackers who use cyberattacks for criminal ends, according to Hebrew media reports.
Cyber experts immediately warned against downloading the file the group had released.
The data leak has caused concern among those users of the Atraf site who have not publicly disclosed their sexual orientation or gender identification.
As the ransom deadline passed on Tuesday, the group uploaded the file, which they said contained the names of Atraf users and their locations, as well as the HIV status that some users had put on their profiles.
Yoram Hacohen, head of the Israel Internet Association, said, “This is one of the most serious attacks on privacy that Israel has ever seen. Israeli citizens are experiencing cyber terrorism.”
“This is terrorism in every sense and the focus now must be on minimizing the damage and suppressing the distribution of the information as much as possible,” Hacohen told the Ynet news site.
He argued Telegram was partially responsible for the incident, and that tech companies should act to limit the spread of the private information on their platforms. He also called on Israel to use legal and technological means to remove damaging information online.
The nonprofit Association for LGBTQ Equality in Israel said the number of calls to its helpline had doubled since the announcement of the hack. The group was particularly concerned over Arab and religious community members who could be affected by the hack, Kan news reported.
The group had initially hacked the CyberServe Israeli internet hosting company on Friday, taking down its servers and a number of sites, among them Atraf.
On Sunday morning, Black Shadow said in a statement that it was “looking for money” and would not leak further information if the ransom was paid within 48 hours.
“If we have $1 million in our [digital] wallet in the next 48 hours, we will not leak this information and also we will not sell it to anybody. This is the best thing we can do,” the hacking group said, noting that it was in possession of users’ chat content, as well as event ticket and purchasing information.
Later on Sunday, the hacking group threatened to release data on fifty “famous” Israelis who had been using Atraf.
“Atraf’s team did not contact us for any deal’s [sic] yet so we collected 50 famous israeli that were surfing and we leak their video’s to access the private group,” the group said.
The hackers said that they had not been contacted by anyone in the Israeli government or CyberServe. The hackers said the lack of contact showed it was “obvious [the hack] is not an important problem for them.”
Israel’s National Cyber Directorate said Sunday it had previously warned CyberServe that it was vulnerable to attack.
The Israel AIDS task force told the Walla news site this week that they were deeply concerned by the hack. “The thought that a person’s HIV positive status can be revealed not by their choice worries us very much,” the task force said.
“For many people, this is sensitive information that, if exposed, could raise concerns and cause anxiety,” the organization said, calling on the public not to further disseminate any personal information revealed in the leak.
The data leak has also worried those who have not publicly disclosed their sexual orientation or gender identification.
One anonymous user told Walla news: “Ever since I heard about this hack, I can’t stop thinking about it. I have intimate pictures and sexual correspondence on there, and it would destroy me if they ever reached my family.
“I use the site and buy party tickets from there also, so as well as the disturbing part about being [outed], there is also the matter of my credit card and identity details. It’s just scary.”
The cyber attack also hit other websites, including the Israeli public transportation companies Dan; Kavim, a children’s museum; tourism company Pegasus; and Doctor Ticket, a service that could have sensitive medical data, according to Hebrew media.
Black Shadow claimed responsibility for the attack and published what it said was client data including the names, email addresses, and phone numbers of Kavim clients on Telegram.
Hours later, the group said it had not been contacted by authorities or CyberServe, so it released another trove of information, including what it said was data pertaining to clients of the Dan transportation company and a travel agency.
The group breached Israel’s Shirbit insurance firm in December last year, stealing data. It demanded a $1 million ransom and began leaking the information when the firm refused to pay.
The new attack comes after an unprecedented, unclaimed cyberattack wrought havoc on Iran’s gas distribution system this week, which Tehran officials have blamed on Israel and the United States.
Iran and Israel have been engaged in a so-called “shadow war,” including several reported attacks on Israeli and Iranian ships that the two have blamed on each other, as well as cyberattacks.
In 2010, the Stuxnet virus — believed to have been engineered by Israel and its ally the US — infected Iran’s nuclear program, causing a series of breakdowns in centrifuges used to enrich uranium.