Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Data Breach Broker Selling User Records Stolen From 26 Companies

Data Breach Broker Selling User Records Stolen From 26 Companies

A data breach broker is selling the allegedly stolen user records for twenty-six companies on a hacker forum, BleepingComputer has learned.

When threat actors and hacking groups breach a company and steal their user databases, they commonly work with data breach brokers who market and sell the data for them. Brokers will then create posts on hacker forums and dark web marketplaces to market the stolen data.

Last Friday, a data broker began selling the combined total of 368.8 million stolen user records for twenty-six companies on a hacker forum.

Of these twenty-six companies, only eight are new alleged data breaches that have not been previously disclosed. These seven companies are Teespring.com, MyON.com, Chqbook.com, Anyvan.com, Eventials.com, Wahoofitness.com, Sitepoint.com, and ClickIndia.com.

In a conversation with the data broker, BleepingComputer was told that Teespring is being sold for $3,800-$4,000, MyON for $2,800, and Chqbook for $1,800. The broker has not decided on pricing for the other databases.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

The full list of companies whose alleged data is being sold, including the number of user records and whether they were previously disclosed, is listed below.

CompanyUser RecordsKnown?
Teespring.com 8.2 millionNo
MyON.com13 millionNo
Chqbook.com1 millionNo
Anyvan.com4.1 millionNo
Eventials.com1.4 millionNo
Wahoofitness.com1.7 millionNo
Sitepoint.com1 millionNo
Clickindia.com 8 millionNo
Juspay.in 100 millionYes
Knockcrm.com 6 millionYes
Mindful.org1.7 millionYes
Bigbasket.com 20 millionYes
Reddoorz.com 5.8 millionYes
Hybris.com (SAP.com)4 millionSAP client data
Wedmegood.com1.3 millionYes
Wongnai.com 4.3 millionYes
Geekie.com.br 8.1 millionYes
Accuradio.com2.2 millionYes
Everything5pounds.com2.9 millionYes
Cermati.com2.9 millionYes
Netlog.com (Twoo.com)53 millionYes
Reverbnation.com 7.8 millionYes
Fotolog.com33 millionYes
Pizap.com60 millionYes
ModaOperandi.com1.2 millionYes
Singlesnet.com 16 millionYes

Responses from companies

After learning about this forum post, BleepingComputer reached out to the companies that have not been previously disclosed in the past.

MyON confirmed that their systems was breached but stated that student’s private data was not exposed.

“In July 2020 we were made aware of a bad actor trying to sell portions of our data on the dark web.  We immediately began investigating to shut down any continued threats to our data or the data of our customers.  We were then able to confirm that according to federal and state privacy laws, no confidential student or customer data was compromised, and this incident did not rise to the level of an actual breach of student private data.”

“We are committed to the protection of the privacy of our user’s and customer’s data and have instituted supplemental protections in addition to our standard information security measures.  Additional information about those efforts is outlined in our information Security  Overview and our online Privacy Hub at https://www.renaissance.com/privacy/,” MyON told BleepingComputer via email.

From the samples seen of the MyON data breach, the exposed information consisted of login names, BCrypt hashed passwords, and names.

In an email to BleepingComputer, Chqbook.com claims that they were not breached.

“There has been no data breach and no information belonging to our customers has been compromised. Data security is a key priority area for us and we conduct periodic security audits to ensure the safety of our customers’ information,” Chqbook told BleepingComputer.

BleepingComputer has emailed some of the users listed in the Chqbook sample to confirm if the data belongs to them.

Finally, TeeSpring told us that they are investigating whether they have been breached.

Also Read: Limiting Location Data Exposure: 8 Best Practices

What should users of these sites do?

Other than MyON and Chqbook’s statements, it has not been confirmed if the other six companies have suffered a data breach.

Historically, sold data breaches like this tend to be legitimate, and companies soon disclose them after the new becomes public.

For now, if you have an account at any of the sites listed above, it is strongly suggested that you change your password to a strong and unique one used only at that site.

If the same password has been used at other sites, change your password to a unique one there as well.

BleepingComputer recommends using a password manager to keep track of strong and unique passwords at sites you have accounts.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us