BackGround Studio CRM — Credential Leak, DatingUser Records in Redis
IP: 65.21.151.67 Host: static.67.151.21.65.clients.your-server.de (Hetzner dedicated) Platform: Redis Stack 7.2.4 / BackGround Studio CRM (Студия BackGround) Date: 2026-05-26 Chain: RedisInsight credential leak → AUTH → DatingUser sorted set confirmed Severity: HIGH visorlog: #71
Discovery
The Redis password was in the GUI. It worked. One key. 99 users in a dating platform sorted set.
DCWF KSAT coverage
Auto-derived from DCWF AI work-role rule files (ksat-tag).
- 672 (AI Test & Evaluation Specialist): K7003, K7004, S7068, S7070, S7075, T5904
- 733 (AI Risk & Ethics Specialist): K7040, K7051, T5854
- overlap (Common AI KSATs (all 5 roles)): K1158, K22, K7003
Hetzner dedicated server (your-server.de rDNS), 129-day uptime, Redis 7.2.4. nginx on port 80 returns the default welcome page. Port 3000 runs a CRM application.
What the Credential Unlocks
AUTH succeeded. DBSIZE: 1. A single persistent key with no TTL. No search indexes. No expiration.
The key: DatingUser
Type: zset (sorted set). Encoding: listpack (compact, in-memory format for sets under 128 members). Cardinality: 99 members. TTL: -1 (permanent, no expiry). Score: 3721699601906545 on both first and last member. Consistent with a Unix millisecond timestamp or Snowflake-style ID.
No members or values were read. The key name, data type, and member count establish the data class.
Application Context
Port 3000 serves a React SPA titled “Студия BackGround | CRM.” The manifest describes it as “CRM.” Built with create-react-app. Last modified 2026-04-20.
“Студия BackGround” is Russian for “Studio BackGround.” The server is Hetzner dedicated infrastructure, a common choice for Russian operators.
A CRM application and a Redis key named DatingUser with 99 persistent records point to one thing: a dating platform.
Data Class
DatingUser is a sorted set. 99 members, no TTL. These are active user records, not session tokens.
This key holds user-level data for a dating application.
Members in a Redis sorted set can be any string: user IDs, serialized objects, UUIDs, or encoded PII. Values were not read.
A CRM operator is running a dating platform on this host. User records are in Redis. Anyone with the leaked credential can read them. The credential was visible in the unprotected RedisInsight GUI.
Chain
RedisInsight :8001 open (no auth)
→ credential visible in GUI
→ AUTH '3snMjYZPiNDzvNWm' → +OK
→ DBSIZE: 1
→ key: DatingUser (zset, 99 members, no TTL)
→ BackGround Studio CRM at :3000 confirms operator
→ Dating platform user records confirmed by key name + data typePivot Avenues
- Port 3000 JavaScript bundle analysis — the CRM SPA at port 3000 will contain API endpoint paths, which may reveal additional data structures, auth flows, or backend service addresses
- Other ports — port 5001, 5432, 27017 are common companion services for a CRM stack; enumerate for database or API exposure
- BackGround Studio brand search — “Студия BackGround” or “background.studio” domain search may surface additional infrastructure or social presence for operator attribution
- Hetzner neighbor enumeration — the /16 range (65.21.0.0/16) is shared Hetzner dedicated; adjacent IPs may share operator or be part of the same deployment
- DatingUser member pattern — score 3721699601906545 fits a Snowflake-style ID; identify the framework to find additional surfaces
- TTL observation — no TTL on user records means Redis is the system of record, not a cache; primary storage is exposed, not an ephemeral layer
Remediation
- Bind Redis to localhost or private VPN interface; remove public exposure immediately
- Rotate the
3snMjYZPiNDzvNWmcredential - Enable RedisInsight authentication (Settings → Security) or restrict port 8001 to private network
- Audit whether the DatingUser zset member values contain plaintext PII; if so, migrate to encrypted storage
- Assess whether 99 DatingUser records represent real users who should be notified of unauthorized access potential
NuClide Research — Chain B RedisInsight survey, 2026-05-26