In the aftermath of last month’s successful attacks against three of Comodo’s affiliate Registration Authorities, Cryptome has just published a database purportedly belonging to GlobalTrust and InstantSSL. It is likely that the database was obtained during last month’s security breach, where an Iranian attacker caused fraudulent certificates to be issued for several high-value domains including www.google.com. Many GlobalTrust websites were subsequently taken offline for forensic investigation.
GlobalTrust.it is still up and running, but it appears that InstantSSL.it has quickly been taken down again, possibly to defend it against any unauthorised access which may result from this latest leak. The site currently responds with a 403 Forbidden message:
The ComodoHacker stated via Twitter that the comodo-db.rar file on cryptome.org contains the “entire database of GlobalTrust and InstantSSL Italy”. ComodoHacker proved his involvement in last month’s attack by publishing the private key for one of the fraudulently issued certificates, so it is likely that this file does indeed contain the compromised database.