34m user records have been identified on an underground sales forum, which cyber-criminals claim are obtained from 17 different corporate data breaches.
A disparate group of companies, including an adaptive-learning platform in Brazil, an online grocery service in Singapore & a cold-brew coffee-maker company, are caught up in the large batch of data.
According to reports, the data appeared late last week, & the theft seems to be the work of a single person or group.
The affected companies are a widely diverse set of targets, from around the world.
According to Bleeping Computer, they include: Apps-builder.com; Athletico in Brazil; Indonesian financial firm Cermati; Clip (a card-reader company in Mexico); Coupontools.com; Eatigo; Everything5pounds.com; Fantasy Cruncher (a fantasy sports tool); Game24h in Vietnam; Geekie; online video-maker Invideo; lease-to-own furniture company Katapult; RedMart; Toddycafe (which offers cold-brew coffee gear); W3layouts (website templates); Indian wedding planning service Wedmegood; & Wongnai.
RedMart (a division of Lazada, owned by Chinese giant Alibaba), offers online grocery shopping & delivery in Singapore. The highest-profile company on the list – the company confirmed the incident in a notice to customers.
1.1 million records were taken from the company & put up for sale, containing emails, SHA1 hashed passwords, mailing & billing addresses, full names, phone numbers, partial credit-card numbers & expiry dates. The price tag for the cache is $1,500, according to the Straits Times, a Singapore-area paper of record.
“Our cyber-security team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company,” according to the company’s statement. “This RedMart-only information is more than 18 months out of date & not linked to any Lazada database…current customer data” is not affected.
Eatigo, which offers online restaurant reservations in Singapore & neighbouring areas, suggested that data from 2.8m accounts was stolen & offered for sale. In an email to affected customers, also reported by the Straits Times, the company explained the data was over 18 months old.
“We were made aware on Oct 30th that along with several other e-commerce platforms, we were the subject of a data security incident,” the company commented. “Your existing Eatigo account password is protected by encryption & hence safe. We do not store credit-card information on our system.”
Data affected includes emails, passwords, names, phone numbers, gender, & Facebook IDs & tokens.
The other company to confirm a breach is Wongnai, Thailand’s Yelp equivalent. This database included 4.3m records, the attacker explained, containing emails, passwords, Facebook & Twitter IDs, names, birthdates, phone numbers & postal codes. It confirmed the breach via email, according to Bleeping Computer.
“Thanks for your inquiry, we were aware of this incident last night (Bangkok time) & our tech team have been investigating this matter,” the company informed the outlet.
Another breach in the batch is the compromise of Geekie, which is an adaptive-learning platform sanctioned by the Brazilian Govt. & used by 5,000 different schools there.
It reportedly had the most records put up for sale: A full 8.1m of them are on offer, containing emails, bcrypt-sha256/sha512 hashed passwords, usernames, names, dates of birth, gender, mobile phone numbers & Brazilian CPF numbers (taxpayer IDs).
The seller of the data on the underground forum told Bleeping Computer that he was merely a broker, acting on behalf of the actual attacker.
“When asked how the hacker gained access to the various sites, the seller stated, ‘Not sure if he want to disclose,’” according to the report.
Huge Credential Dumps
The latest incident continues the trend of huge data dumps turning up online (which generally lead to follow-on phishing & account take-over efforts).
In Jan., a huge cache totalling 87Gb of data was found on the MEGA Cloud Service. The data was organised into 12,000 separate files under a root folder called “Collection #1.” Collection #1 was only a small part of a larger amount of leaked credentials.
Hasso Plattner Institute
Researchers at the Hasso Plattner Institute in Potsdam, Germany also discovered another new batch of stolen data equalling 845Gb, & 25 billion records in all (611m credentials after de-duping). This latest data dump, called #Collection #2-5″ contained about 3 times as many unique records as Collection #1.
As a whole, the entire set of compromised credentials totalled 993.53Gb of data, including addresses, cell phone numbers & passwords.