Help! All data in mybook live gone and owner password unknown

@jacyjacy77 no it does not. Been running 60+ hours and only 12% done. Am thinking of stopping this scan using Disk Internals Data Recovery and having a go with Photorec. Not sure where or how to get it yet!!!

IOW, if you find nttpd in your logs, etc. on a MBL that means you likely got hacked to some extent and it’s not going to be a false positive

Sounds right

time

Well it sure looks like it uses ntp, but I just checked and the binary on my desktop is:
linuxcpa@desktop: which ntpd
/usr/sbin/ntpd

So my mistake there.

@darkchanter is that just one program???

See that’s the strange thing. Why did this only happen on that particular day. Feels like some kind of shutdown gone wrong… If it was a takedown of some sort - perhaps the person who reset all these MyBook Live disks knew/thought/believed that was the only option given that there are thousands of these drives out there and no guarantee that the threat would be eradicated otherwise.

1 Like

Thanks for your feedback and warning. As a result of your comments (and warnings from others), I’ve chickened out and disconnected the MBL until someone comes up with a proven way to prevent future attempts. Until then, it’s my trusty Seagate HDD (sigh).

To those doing data or partition scans. If I stop the scan with one programme and start again with a different programme that others seem to be having some success with will the first scan have any impact on running the second? Would I be wasting more time trying this? Going by progress so far it will take 12-14 DAYS to complete the original Disk Internals Data recovery programme.

If I stop the scan with one programme and start again with a different programme that others seem to be having some success with will the first scan have any impact on running the second? Would I be wasting more time trying this?

First scan has zero impact on second scan. Both scans will probably take as just as long. The faster it goes the less it will find.

In general a file system is just a list of file chunks associated with a file name. When the drive is formatted, the list is destroyed. These recovery programs make a new list based upon a combination of solid information, good information, file tags, educated guesses and flat out guesses to come up with its own indexing. For the most part directory and subdirectory structures are somewhat lost.

The program then uses the less than perfect indexing it will offer to allow you to save the contents of files it produces to another drive. So make sure you have a drive with enough space for your old files.

Summary: Expect it to take a long time. Even longer than what you think is long. Plus more. If you have any vacation holiday plans, a good time to start the scan is before you go.

1 Like

Thank you so much for this info and link. I’m trying to get my family’s photos and videos back. Really appreciate it.

What types of files were you able to recover?

Speaking of Seagate, this is basically what WD should have done to prevent this from happening to its customers:

Important part:

Effective April 8, 2018, the remote access feature on Seagate Central will no longer be supported. This feature allows users to remotely access files while not on the same network as their Seagate Central device. All other features will continue to work as expected while on the same network as your device.

Your data on the device will not be deleted or altered in any way. Only the remote access feature will be discontinued.

The gross negligence for WD to not have done this especially after valid reports of remote code exec vulnerabilities were released is beyond irresponsible and shows a total disregard for their customer base.

I honestly can’t see how anyone could ever trust this company with security on any product after this. I mean, security flaws happen to everyone and are to be expected, but the way WD bungled this practically shows a contempt for their userbase.

2 Likes

This statement provided was incorrect as there has been no breach of WD Servers.

For a full explanation of the My Book Live Issue, please see the following Security Bulletin:

Hello cme
Can you kindly provide what are the next steps regarding our drives?
Whats on WD roadmap?

Thank you in advance.

1 Like

Yes, I’ve seen that Security Bulletin; only after all my data had been deleted! It was dated 06/24/21 with an update on 06/25/21. It was too late to be of any help to me.

The on-line chat where that statement had been made to me was on Saturday, 06/26/21, so I just assumed that it was more current than the information in the bulletin on your website.

It was later Saturday before I received an e-mail from WD, as a registered owner, with some recommended security measures which again was too late for me. This particular e-mail also indicates that WD was investigating the effectiveness of various data-recovery tools. Is there any estimate of when we can expect this investigation/evaluation to be completed and its results shared with us?

1 Like

Hi, I was in the same situation as Quilter1. Only saw the WD communication that was sent 6/26, which was way to late for me as well:

  1. When is WD looking to start assisting its customers to recover their data ?
  2. How is WD considering to make up for the significant time its customers are wasting with this issue ? (incl. and not limited to: checking forums/ troubleshooting their WD device/ interacting with customer service etc.)
1 Like
  1. Never
  2. They don’t care at all.
3 Likes

You might want to edit your post to obscure or mangle those links to prevent anyone from accidentally clicking on it and downloading the malware.

I’m not expecting much out of WD, but this is still early days. Any solution they may come up with is going to take time.

hi everyone

i just got wind of this today as my wife was trying to access the drive.
I guess my only question is, is it too late for me now that it is 4 days later that I found the issue
Is it still worth the effort for data recovery? I know data is always worth it, but is my drive too far gone???
THanks. Really ■■■■■.
BTW, my UPnP was turned off and MBL auto-update was off also. Not that it matters now

WD had no problem emailing me in 2015 when they had server outage. Why not in 2018 and then later applied a firmware to disable upnp or remote network access? They failed incident response 101.

1 Like

Hi guys. I’m from Russia. I just like you got into this unpleasant situation. Yesterday I managed to completely restore my files. I have a WD My Book Live Duo - the drives are configured with a mirror, for a total of 2 TB. First, I put one disk “B” in the PC - little information was recovered. Then he put both discs “A” and “B”. The scanning took 12 hours. As a result, I saw all my files and folders in their original form. Now we are recovering to a third-party disk. I did everything in the R-Studio program.

I don’t trust WD anymore.
Good luck to you.