Hacktivists breached Andrew Tate’s online platform “The Real World,” exposing data on 794,000 users — a platform the attackers described as “hilariously insecure.” HN47 also covers Russian RomCom hackers chaining two zero-days — a Firefox use-after-free (CVE-2024-9680) and a Windows Task Scheduler privilege escalation (CVE-2024-49039) — to achieve drive-by remote code execution with no user interaction required, targeting government, defense, energy, and pharmaceutical organizations across Europe and North America.
Stories Covered
“Hilariously Insecure”: Andrew Tate’s Platform Breached, 794k Users Exposed
Hacktivists breached Andrew Tate’s online education platform “The Real World” (formerly Hustlers University), flooding its primary chat room with emojis as proof-of-access before extracting and sharing approximately 794,000 usernames with the Daily Dot and journalism collective DDoS Secrets. The stolen data also included 324,382 unique email addresses belonging to users who had been removed from the main database after canceling subscriptions. The full data dump, reported at roughly 14-15 gigabytes, originated from 221 public and 395 private chat servers. A source close to the hacktivists described the platform’s security posture as “hilariously insecure,” and the breach appears to have been enabled by an unpatched vulnerability that gave attackers the ability to upload emojis, delete attachments, crash client sessions, and temporarily ban users.
Two elements are worth unpacking here. First, the “less secure environment” reference likely points to a common pattern in web infrastructure: staging, development, or testing environments that were set up to support deployment but were never properly deprecated or hardened. These environments often inherit production data or schema but don’t receive the same access controls, making them a frequent source of leaks. Default credentials on databases, exposed admin panels, or stale test instances with real user data all fall into this category. Second, the unpatched vulnerability points to basic patch management failure — a known bug with an available fix that was simply never applied.
The reputational angle adds context but doesn’t change the security lesson: 800,000 people’s usernames and email addresses are now publicly available, regardless of why they were on the platform. Email addresses extracted from breached platforms are directly usable in phishing campaigns, credential stuffing attacks, and targeted social engineering. The fact that a cancelled-user database appears to have been stored in a less-secured location than the active-user database suggests the platform lacked a coherent data lifecycle policy — users who stop paying don’t stop having privacy interests.
RomCom Hackers Chain Firefox + Windows Zero-Days for Drive-By Backdoor Deployment
Russia-linked RomCom cybercrime group (also tracked as Storm-0978, Tropical Scorpius, and UNC2596) chained two zero-day vulnerabilities to achieve remote code execution against Firefox and Tor Browser users across Europe and North America, with no user interaction required beyond visiting an attacker-controlled website. The first flaw, CVE-2024-9680, is a use-after-free bug in Firefox’s animation timeline feature that enables arbitrary code execution inside the browser sandbox. The second, CVE-2024-49039, is a privilege escalation vulnerability in the Windows Task Scheduler service — patched by Microsoft on November 12th — that allowed attackers to escape the Firefox sandbox and execute code with elevated privileges on the host system.
The attack chain worked as follows: a target visits a malicious or attacker-controlled page, which silently redirects through a server hosting the exploit. If the browser is vulnerable, the chain fires without any click or download confirmation — shellcode executes, downloads the RomCom backdoor, and installs it on the system. The target is then redirected to a legitimate-looking destination page, leaving no obvious trace of what just occurred. The Tor Browser targeting (exploiting versions 12 and 13 via a JavaScript file named main-tor.js) is particularly notable — Tor users are typically a privacy-sensitive demographic including journalists, activists, and security researchers in high-risk environments.
Zero-day chains of this caliber are expensive — individual zero-days in major browsers and operating systems trade for millions of dollars on gray markets. RomCom’s deployment of two chained zero-days reflects both the group’s government backing and the strategic value of the targets: ESET’s telemetry showed between one and 250 potential victims per country, spanning government, defense, energy, pharmaceutical, and insurance sectors. RomCom previously exploited a zero-day in Windows and Office products (CVE-2023-36884) to attack organizations attending the 2023 NATO Summit in Vilnius — the Firefox and Windows chain follows the same pattern of high-sophistication, high-value targeting aimed at intelligence collection and espionage.
Leave a Reply