In a recent scandal, Vianet – one of the leading Internet Service Providers (ISP) of Nepal faced an outrageous data breach. 176,518 customers were directly affected by the breach and thus it was named as the ‘biggest data breach in the history of Nepal‘.
At just 16 years-old, Narpichas aka Nare Bhai breached Vianet claiming he was frustrated with the Vianet team because they did not look at his reports at all. He affirmed to have uploaded a payload on Vianet’s website and host the leaked database in the Dark-Web through Tor browser. Regretting his mistake and pointing out the lack of security, Narpichas has opened up to the public through a blog.
When we asked about the incident, here is what Narpichas (Nare Bhai) had to say.
How did you come up with the name – Narpichas or Nare Bhai and why did you choose to use this name in particular?
This answer covers a mystery actually “What is Bramhapichas, and is another hacker named after Bramha same?”
So, I had come up with the name ” Bramhapichas” which means, “A student who has died before the expected time of his death” but later found it to be less attractive then I decided to simply use the name “Narpichas” because I found it cool and classic. The term “Nare Bhai” was generated simply because it resembled “Narpichas” and I was just tired of the name “Narpichas” because people in the custody were calling it time and again which did hurt.
When did you discover Vianet’s leak and why did you choose to publicize it?
I discovered it long ago, I’m not sure about the time of discovery though. I’d reported it, waited for around 1.5 years and saw no activity. I was really pissed off. So, I decided to make use of the exploit because developers won’t care about reports, and found leaking it a best way to demonstrate the risk of not caring about the vulnerability reports.
Do developers in Nepal underestimate the concerns regarding user data?
Yes, definitely in Nepal since only business matters to them the most. And much like Vianet, developers simply won’t care until and unless someone senior asks them to do care about it.
If you were to come across another breach like Vianet’s, what would you do?
I will definitely not report it nor breach it, I’ll just wait for some a*shole to sell it. (If s/he finds the endpoint, I’ll not be involved though) letting them do it would make them face the real threats and good luck suing the attacker.
What are your propositions for the upcoming hackers in Nepal?
Don’t focus on the security here in Nepal as much, trust me “they don’t deserve it”, instead go search for bug bounties and have a cash flow, you may touch applications listed on bug hunting platforms i.e. bugv, hacker1, bug crowd, integriti, etc.
Claiming to be just another infosec guy, Narpichas professed to have aimlessly come across the security vulnerabilities of Vianet and says it would have been patched without a fuss had they attended the user’s report.