Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Bonobos Clothing Store Suffers A Data Breach, Hacker Leaks 70GB Database

Bonobos Clothing Store Suffers A Data Breach, Hacker Leaks 70GB Database

Bonobos men’s clothing store has suffered a massive data breach exposing millions of customers’ personal information after a cloud backup of their database was downloaded by a threat actor. Bonobos states that the corporate systems were not breached during the attack.

Bonobos started as an online men’s clothing store but later expanded to sixty locations to try on clothes before purchasing them. Walmart bought Bonobos in 2017 for $300 million to sells its clothing on their site.

Last weekend, a threat actor known as ShinyHunters, who is notorious for hacking online services and selling stolen databases, posted the full Bonobos database to a free hacker forum.

Forum post leaking the Bonobos database
Forum post leaking the Bonobos database

Massive 70 GB database leaked

This leaked database is a monstrous 70 GB SQL file containing various internal tables used by the Bonobos website. The database also includes various data far more interesting to threat actors, such as customers’ addresses, phone numbers, partial credit card numbers (last four digits), order information, password histories.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

The amount of records varies depending on the category of the data. For example, the address and phone numbers are for 7 million customers/orders, account information for 1.8 million registered customers, and 3.5 million partial credit card records.

User records table
Leaked user records table

The passwords stored in the database are hashed using SHA-256 or SHA-512 according to threat actors who have started to analyze the database. One threat actor claims to have already cracked the passwords for 158,000 SHA-256 passwords but has been unable to crack the SHA-512 passwords.

The hacker turned the cracked passwords into a ‘combolist’ used in credential stuffing attacks, which is to log in using the stolen credentials at other sites.

Backup database was stolen from the cloud

After BleepingComputer contacted Bonobos about the leaked database, the clothing store told us that the threat actors did not gain access to internal systems but rather to a backup file hosted in an external cloud environment.

“Protecting our customers’ data is something we take very seriously. We’re investigating this matter further and, so far, have found no evidence of unauthorized parties gaining access to Bonobos’ internal system. What we have discovered is an unauthorized third party was able to view a backup file hosted in an external cloud environment. We contacted the host provider to resolve this issue as soon as we became aware of it.”

“Also, we have taken additional precautionary steps, including turning off access points, invalidating account passwords and requiring password resets, to further secure customer accounts. We’re emailing customers to notify them that their contact information and encrypted passwords may have been viewed by an unauthorized third party. Payment information was not affected by this issue. We’ll continue to share updates with customers as they become available,” Bonobos told BleepingComputer via email.

Though the database did not include full payment information in the database, threat actors can use the partial data in targeted phishing attacks.

Partial credit card information in the database
Partial credit card information in the database

What should Bonobos users do?

As this is a confirmed data breach, it is strongly recommended that all Bonobos users immediately change their password on the site.

If the same password has been used at other sites, change your password to a unique one there as well.

Using unique passwords at every site you have an account prevents a data breach at one site from affecting you at other websites you use.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

BleepingComputer recommends using a password manager to track strong and unique passwords for the sites you have accounts.

Finally, all Bonobos customers should be on the lookout for emails asking for credit card or login information, as it could be targeted phishing scams resulting from this data breach.

Update 1/22/21: Our story originally mentioned that the database contained virtual gift cards. Bonobos told us that this data is store credit and cannot be redeemed as tender.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us