[BreachExchange] Lazada RedMart Data Breach Puts Up Data of 1.1 Million Customers on Dark Web

Destry Winant destry at riskbasedsecurity.com
Mon Nov 2 10:34:23 EST 2020 

https://latesthackingnews.com/2020/11/01/lazada-redmart-data-breach-puts-up-data-of-1-1-million-customers-on-dark-web/

Singapore’s e-commerce giant Lazada has recently disclosed a data
breach affecting RedMart customers. What’s disturbing here is that the
data of 1.1 million Lazada RedMart customers is now for sale on the
dark web.

 Lazada RedMart Data Breach In a recent email notification to its
customers, Lazada has informed them of a data breach affecting
RedMart.

Elaborating further on the matter via a FAQ page, the firm’s
cybersecurity team observed the breach during proactive monitoring.

The incident only involved a RedMart-only database used by the old
RedMart app and site. This database, according to the firm, was
updated until March 2019, hence, included data older than 18-months.
The firm has confirmed that the incident did not impact current Lazada
customers.

Regarding the details of customers included in the breach, they
stated, "The data security incident resulted in unauthorised access to
the database which contained personal data of RedMart customers (which
was last updated in March 2019), including names, phone numbers, email
and mailing address, encrypted passwords, and partial credit card
numbers. "

Since the company did not store complete card numbers and CVV, they
assure this detail as “generally safe”. Though, they have asked the
customers to vigilantly monitor their account status for any
unauthorized or unusual transactions.

Following the incident, the company quickly halted access to the
database and started investigations. As a precaution, they have also
reset the passwords for all customer accounts. Whereas, they have sent
email notifications to the affected customers.

Stolen Data Up For Sale On Dark Web

While Lazada has disclosed the incident as a mere data breach,
Bleeping Computer has reported more alarming details. As revealed, the
data stolen from this breach has been put up for sale on the dark web
for $1500. The hackers reportedly accessed the unsecured MongoDB
database to pilfer the 1.1 million customers’ records.

As claimed by the hackers, the database included details up to July
2020, hinting that Lazada has seemingly downplayed the incident.

 Lazada hasn’t commented anything on discrepancy until the time of
writing this article.

More information about the BreachExchange mailing list