A whopping 34 million user records have materialized on an underground sales forum, which cybercriminals claim are gleaned from 17 different corporate data breaches.
According to reports, the data appeared late last week, and the theft appears to be the work of a single person or group.
The affected companies are a widely diverse set of targets, gleaned from around the world. According to Bleeping Computer, they include: Apps-builder.com; Athletico in Brazil; Indonesian financial firm Cermati; Clip (a card-reader company in Mexico); Coupontools.com; Eatigo; Everything5pounds.com; Fantasy Cruncher (a fantasy sports tool); Game24h in Vietnam; Geekie; online video-maker Invideo; lease-to-own furniture company Katapult; RedMart; Toddycafe (which offers cold-brew coffee gear); W3layouts (website templates); Indian wedding planning service Wedmegood; and Wongnai.
Two of the breaches were previously reported: RedMart and Eatigo.
RedMart (a division of Lazada, owned by Chinese giant Alibaba), offers online grocery shopping and delivery in Singapore. It’s perhaps the highest-profile company on the list – the company confirmed the incident in a notice to customers.
A full 1.1 million records were stolen from the company and put up for sale, containing emails, SHA1 hashed passwords, mailing and billing addresses, full names, phone numbers, partial credit-card numbers and expiry dates. The price tag for the cache is $1,500, according to the Straits Times, a Singapore-area paper of record.
“Our cybersecurity team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company,” according to the company’s statement. “This RedMart-only information is more than 18 months out of date and not linked to any Lazada database…current customer data” is not affected.
Meanwhile Eatigo, which offers online restaurant reservations in Singapore and neighboring areas, said that data from 2.8 million accounts was stolen and offered for sale. In an email to affected customers, also reported by the Straits Times, the company said the data was more than 18 months old.
“We were made aware on Oct 30th that along with several other e-commerce platforms, we were the subject of a data security incident,” the company said. “Your existing Eatigo account password is protected by encryption and hence safe. We do not store credit-card information on our system.”
The affected data includes emails, passwords, names, phone numbers, gender, and Facebook IDs and tokens.
The other company to confirm a breach is Wongnai, Thailand’s equivalent to Yelp. That database included 4.3 million records, the attacker said, containing emails, passwords, Facebook and Twitter IDs, names, birthdates, phone numbers and postal codes. It confirmed the breach via email, according to Bleeping Computer.
“Thanks for your inquiry, we were aware of this incident last night (Bangkok time) and our tech team have been investigating this matter,” the company told the outlet.
Another breach of note in the trove is the compromise of Geekie, which is an adaptive-learning platform sanctioned by the Brazilian government and used by 5,000 different schools there. It reportedly had the most records put up for sale: A full 8.1 million of them are on offer, containing emails, bcrypt-sha256/sha512 hashed passwords, usernames, names, dates of birth, gender, mobile phone numbers and Brazilian CPF numbers (taxpayer IDs).
Meanwhile, the seller of the data on the underground forum told Bleeping Computer that he was merely a broker, acting on behalf of the actual attacker.
“When asked how the hacker gained access to the various sites, the seller stated, ‘Not sure if he want to disclose,’” according to the report.
Massive Credential Dumps
This latest incident continues the sporadic trend of massive data dumps showing up online (which generally lead to follow-on phishing and account take-over efforts).
In January, a huge cache totaling 87 GB of data was spotted on the MEGA cloud service. The data was organized into 12,000 separate files under a root folder called “Collection #1.” But as it turns out, Collection #1 was only a fraction of a larger amount of leaked credentials.
Soon after, researchers at the Hasso Plattner Institute in Potsdam, Germany discovered another new trove of stolen data equaling 845 GB and 25 billion records in all (611 million credentials after de-duping). The latest data dump, dubbed #Collection #2-5″ contained roughly three times as many unique records as Collection #1.
In all, the entire set of compromised credentials totaled 993.53 GB of data, including addresses, cell phone numbers and passwords.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.