[BreachExchange] Four Million Quidd User Credentials Found on Dark Web

Destry Winant destry at riskbasedsecurity.com
Wed Apr 15 10:27:41 EDT 2020


Security researchers have discovered almost four million credentials
linked to digital collectibles site Quidd, including a sizeable number
of corporate email addresses.

Risk Based Security’s Data Breach Research Team announced the
discovery on Friday, revealing the data was available “on a prominent
deep web hacking forum.”

It apparently features the email addresses, usernames and bcrypt
hashed passwords of 3,954,416 users.

“The compromised data sets were originally posted on March 12 2020 and
self-attributed to a threat actor named ‘Protag.’ However, the files
were quickly removed,” the firm explained.

“The data resurfaced on March 29 2020 when it was reuploaded by a
different user and has since remained available. One threat actor
responded to the post stating that he has already cracked, or
decrypted, nearly a million password hashes.”

Although the use of bcrypt will make the passwords harder for
cyber-criminals to monetize, concerns persist, especially for some

Around 1000 of the user credentials are linked to corporate email
addresses, including the accounts of employees at Microsoft, Target,
Virgin Media, Accenture, Experian, AIG and other organizations.

Risk Based Security warned the corporate angle could put these firms
at extra risk from business email compromise (BEC) and spear-phishing

That’s besides the more general risk of credential stuffers using the
four million-strong data trove to try their luck across other

Quidd itself has not responded to inquiries from the researchers about
the incident, since its discovery. The Brooklyn-based firm deals in
“digital collectibles” from over 300 brand partners including Disney
and DC Comics.

According to Risk Based Security, the leaked data is not being offered
for sale, but access is also unrestricted.

More information about the BreachExchange mailing list