Dutch site’s zero-day hack: a lesson in vulnerability scanning

The hack of the Dutch site, hookers.nl, provides a valuable lesson on cybersecurity.

Last month (at the time of writing this post), a Dutch website was hacked. This was not just any website. It was a forum used by, among others, employees of Dutch governmental institutions like law enforcement, foreign affairs and the ministry of defence. Normally such a breach would simply mean that users of the affected site would be notified and encouraged to change their passwords, but as mentioned before, this is not just any website. 

The hacked website was Hookers.nl, a vBulletin based forum used by prostitutes and their customers.* Hackers were able to lift the entire database using a 0day exploit that worked on all 5.x versions of the vBulletin commercial forum software. The information they stole included usernames, IP addresses, and password hashes.

We will get into the implications of the stolen data in just a moment but first, it is important to understand how the site was hacked and what this means for your business. 

* It’s important to note that prostitution is legal in the Netherlands so the existence and use of this site breaks no laws. However, prostitution still carries a stigma in much of society and allegations of adultery is a very powerful blackmailing tool.

Zero-day exploits and vulnerability scans

Zero-day exploits

Zero-day (or 0day) exploits are vulnerabilities that currently have no fixes and are also typically unknown to the software developer or vendor. On September 23rd, 2019 a vBulletin 0day exploit was posted on the SecList’s “Full Disclosure” mailing list. This RCE (remote code execution) exploit essentially meant that all version 5.x vBulletin instances, worldwide, were open to being hacked.

Vulnerability scans

Using different scanning tools, hackers were able to perform a global automated scan for websites running the exploitable version of vBulletin. Within hours to days, websites all over the world could be scanned to create a list of vulnerable targets. The 0day exploit would then be launched and the forum’s database stolen. 

Knowing that hackers tend to go after low-hanging fruit, ​it is fully likey that the hack on Hookers.nl on the 25th or 26th of September was automated. Meaning that when the exploitable systems were found, the 0day exploited would be exploited automatically. The email addresses, IP addresses, and password hashes are actively being traded underground and the whole data dump goes for about 2 euros.

Top 35 passwords hacked from Hookers.nl
The top 35 passwords cracked from the Hookers.nl hack (Source: ScatteredSecrets)

Why you should scan for vulnerabilities

Having continuous vulnerability scans on your internet-facing assets can significantly reduce the occurrence of ‘in the wild’ 0day exploitation. Continuously monitoring your assets gives you the knowledge to know that something is vulnerable before hackers have the time to exploit those vulnerabilities. This type of scanning is no longer something that only large corporations can afford. If the hackers themselves can run a global scan, then a business can afford to monitor their systems for vulnerabilities.

spriteCloud utilises an engine that is comprised of multiple vulnerability scanners that are kept up-to-date with the latest threat intelligence developments; covering both the application and infrastructure layers. The frequency and depth of these automated scans can be easily customised as per the organisation’s security policies and requirements. Get alerted immediately about potential 0day exploits in your assets before your organisation gets infiltrated. 

The implications

Blackmailing and scamming

The weakest link in your security is always going to be your personnel. The prevalence and success of social engineering scams like phishing is a testament to this. Usually, independent hackers are looking for a quick payout but state-sponsored hackers have other motives that have very significant implications for national security.

The resulting database dump contained information that could be linked to individual Hookers.nl users. Just think of the possibilities that a hacker has at his disposable if he is able to blackmail a high-level employee in the Dutch Ministry of Defence (Ministerie van Defensie). Think along the lines of “Plant this malicious software into the MinDef system or I ruin your marriage and family”

Expect to hear of blackmailing and scamming attempts very soon.

Credential stuffing

The vast majority of people use a similar, if not the same, password across multiple websites. Once an email address and password are stolen, hackers will stuff those credentials into other websites to see if they can gain access. One breach can lead to hackers accessing other accounts. While this is a risk, the blackmailing implications are by far the greater danger to society from this Hookers.nl hack.


The moral of this story is that your customer’s data needs to be protected and at the very least you should be monitoring your systems for vulnerabilities. If this post resonated with you then please view our cybersecurity testing services, and don’t let your business and its customers be hurt by lax security. 


Further reading

Written by: Travis Hatridge

Travis is the Marketing Manager at spriteCloud. He has an MSc in Marketing and a background in content marketing. He enjoys cooking, travelling, and long walks through the forest.

Subscribe to our mailing list!

Stay up-to-date on all things quality assurance,
test automation, and cybersecurity.

We’re spriteCloud, a leader in software and cybersecurity testing.


Have a look at our testing solutions.