A hacker gang has cracked a rival subscription vulnerability service and promises to release some $24,000 in claimed stolen exploits if it gains 30,000 subscribers by next week.
The gang runs the 1337day vulnerability subscription service. It said it busted into the site by reinstalling its Magento content management system and uploading a shell.
"If we have 30,000 [RSS] subscribers by 16/12/2012, we will publish the private exploits we attained (sic) from ExploitHub," Inj3ct0r Team wrote in a Facebook post.
ExploitHub admitted to the breach of its webserver but said there was yet no evidence that its exploits were stolen.
"The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part," it said.
"The database on that server however only contains information used by the web application itself as well as product information such as exploit name, price, and author, but does not contain any actual product data such as exploit code. The product data is stored elsewhere and there is currently no evidence that the storage location was accessed..."
It qualified by stating that the investigation into the breach was ongoing. Its website was inaccessible at the time of writing.
Inj3ct0r Team did not reply to requests by SC yesterday to be supplied with a sample of the exploits in contention to verify thier claims.
The raided company's exploits were sourced from public disclosures and were not zero-day, reducing the risk to patched users should the group follow through and release the cache.
But some hacking groups have historically broken promises to release supposed stolen data in exchange for additional social media followers or even ransoms.