Researchers have found that almost four million credentials that are linked to digital collectibles site Quidd, including, it seems, some corporate email addresses.
Risk Based Security’s Data Breach Research Team disclosed the discovery on Friday, commenting only that the data was “on a prominent deep web hacking forum.”
It seems to feature the email addresses, usernames and bcrypt hashed passwords of a total of 3,954,416 users.
“The compromised data sets were originally posted on March 12, 2020 and self-attributed to a threat actor named ‘Protag.’ However, the files were quickly removed,” the firm explained.
“The data resurfaced on March 29, 2020 when it was reuploaded by a different user and has since remained available. One bad player even had the cheek to respond to the post by claiming that he has already cracked, or decrypted, nearly a million password hashes!”
Although the use of bcrypt will make the passwords harder for cyber-criminals to monetise, yet concerns persist, especially for some businesses.
Around 1000 of the user credentials are linked to corporate email addresses. This includes the accounts of employees at Microsoft, Target, Virgin Media, Accenture, Experian, AIG & other organisations.
Risk Based Security cautioned the corporate dimension could put these firms at extra risk from business email compromise (BEC) & spear-phishing attempts.
Also, there is the more general risk of credential stuffers utilising the four million data pieces to try their hand across other accounts.
Quidd has not responded further about the incident, since it was discovered. The Brooklyn-based firm deals in “digital collectables” from over 300 brand partners including Disney & DC Comics.
Says Risk Based Security, the leaked data is not actually being offered for sale, but access is also unrestricted.