A threat actor is selling account databases on an underground hacking forum. The database is an aggregate total of 34 million user records that they claim were stolen from 17 companies during data breaches. However, the seller told Bleeping Computer that they were just a broker acting on behalf of somebody else, who did not wish to disclose how they gained access into compromised databases. The data breach broker claims that the data from all the 17 companies was breached this year.
Hacker initiated the biding process on the hacker forum
The data breach broker created a new topic on a hacker forum to sell the stolen user databases for 17 companies on October 28.
The seller told BleepingComputer that RedMart data was for sale at $1,500 on the hacker forum. Stolen data mostly fetches between $500 and $100,000 on the underground markets as witnessed in the Zoosk and Wattpad data breaches, respectively.
Hackers initially sell the stolen data privately in a hacker forum of their choice. Later, they freely release the information to earn “street cred” and prove themselves on the dark market.
Companies listed on the hacker forum
Major sites affected include geekie.com.br, which leaked 8.1 million records while Singapore’s RedMart exposed 1.1 million accounts. RedMart acknowledged the breach while wongnai.com claimed that the incident was under investigation.
Lazada, the Singaporean e-commerce firm owned by Alibaba and operates RedMart, was the most significant breach. The company acknowledged that personal information, including addresses and partial credit card numbers of 1.1 million users were leaked in a major breach in the city-state of 5.7 million.
The Alibaba-owned firm disclosed that the data was lifted from a database of its online grocery arm RedMart. However, the Alibaba’s affiliate noted that the data was over 18 months out of date and that its current customer data was safe.
“The user information that was illegally accessed includes names, phone numbers, email and mailing addresses, encrypted passwords and partial credit card numbers,” a spokesperson for the Alibaba affiliate said.
Lazada said it was able to block access to the database, thus preventing further unauthorized access. The firm also disclosed that it discovered the breach through proactive monitoring when the data surfaced on the hacker forum.
The nature of information exposed in the data leak
Most of the records listed on the hacker forum contained personal details such as names, phone numbers, and email addresses. However, some of the records also included encrypted passwords. Here’s a list of the details per site exposed on the underground hacker forum.
- Redmart.lazada.sg exposed users’ full names, phone numbers, emails, SHA1 hashed passwords, mailing and billing addresses, partial credit cards numbers and expiration dates.
- Everything5pounds.com leaked users’ names, gender, phone numbers, emails, and hashed passwords.
- Geekie.com.br exposed names, gender, mobile phone number, DoB, usernames, emails, bcrypt-sha256/sha512 hashed passwords and Brazilian CPF numbers.
- Cermati.com leak revealed sensitive personal details including name, gender, address, phone, emails, password bcrypt, bank, job, company, revenue, tax number, id number, and mother’s maiden name.
- Clip.mx exposed only the email and phone numbers.
- Katapult.com exposed name, email, password encrypted using pbkdf2-sha256/unknown,
- Eatigo.com users’ name, phone, gender, email, md5 hashed password, and Facebook id & token were leaked.
- Wongnai.com leaked the names, date of birth, phone, zip, email, password md5, IP address, and Facebook & Twitter IDs of its customers.
- Toddycafe.com exposed the names, phone, email, address, and passwords of its clients.
- Game24h.vn leaked the name, birth date, username, email, and password md5 hash of its customers.
- Wedmegood.com exposed phone numbers, email addresses, password sha512 cipher, and Facebook ID of its patrons.
- W3layouts.com leaked the name, phone, email, password bcrypt, country, city, state, and IP address of any customer who registered on their site.
- Apps-builder.com compromised the name, email, password md5crypt, IP, and country of each user.
- Invideo.io exposed the names, phone number, email addresses, and password bcrypt of its customers.
- Coupontools.com data contained the names, phone numbers, gender, birthdate, email addresses, and password bcrypt hash.
- Athletico.com.br name, birth date, email, password md5, CPF.
- Fantasycruncher.com data leaked on the hacker forum contained the username, email, password bcrypt/sha1, and IP addresses.
BleepingComputer confirmed from the exposed email addresses that 13 of the 17 companies were breached. Clip.mx, Katapult, CouponTools, or Apps-builder data could not be verified.
Dan Piazza, the Technical Product Manager of Stealthbits, laments the failure of companies to disclose data breaches.
“In today’s ransomware climate, it’s still alarming to hear when companies fail to disclose recent breaches, especially considering the backlash typically received when end users find an organization has not been forthcoming.”
However, he gives them the benefit of the doubt considering the long dwell times for cyber attacks.
“It seems more likely that most of these organizations simply didn’t know they were breached – which is actually a scarier reality,” Piazza says.
Saryu Nayyar, Gurucul’s CEO, notes that data brokerage was the modus operandi for the cybercriminals.
“The sale of 34 million stolen user records shows the kinds of business model cybercrime has evolved into,” Nayyar says. “Individual attackers of APT groups steal information from their victims then either sell it themselves or pass it on to a broker who sells it for them.”
The existence of stolen data brokers was a worrying trend and the primary cause of the problem, according to Nayyar. He recommended concerted efforts from the criminal justice system to apprehend and prosecute the criminals. He also advised users to adopt better cyber security habits to block hackers.
“The law enforcement community is responsible for pursuing, and prosecuting the attackers, while it is up to users to practice good account hygiene with carefully chosen passwords for each site, and multifactor authentication, and for companies to do what they can to protect their assets from attack. That includes adequate policies, and an up to date security stack, including behavioral analytics, to quickly identify a breach, and reduce the risk of a one happening in the first place.”