[BreachExchange] Data breach broker selling user records stolen from 26 companies

[Destry Winant]

https://www.bleepingcomputer.com/news/security/data-breach-broker-selling-user-records-stolen-from-26-companies/

A data breach broker is selling the allegedly stolen user records for
twenty-six companies on a hacker forum, BleepingComputer has learned.

When threat actors and hacking groups breach a company and steal their
user databases, they commonly work with data breach brokers who market
and sell the data for them. Brokers will then create posts on hacker
forums and dark web marketplaces to market the stolen data.

Last Friday, a data broker began selling the combined total of 368.8
million stolen user records for twenty-six companies on a hacker
forum.

Of these twenty-six companies, only eight are new alleged data
breaches that have not been previously disclosed. These seven
companies are Teespring.com, MyON.com, Chqbook.com, Anyvan.com,
Eventials.com, Wahoofitness.com, Sitepoint.com, and ClickIndia.com.

In a conversation with the data broker, BleepingComputer was told that
Teespring is being sold for $3,800-$4,000, MyON for $2,800, and
Chqbook for $1,800. The broker has not decided on pricing for the
other databases.

The full list of companies whose alleged data is being sold, including
the number of user records and whether they were previously disclosed,
is listed below.

CompanyUser RecordsKnown?
Teespring.com 8.2 millionNo
MyON.com13 millionNo
Chqbook.com1 millionNo
Anyvan.com4.1 millionNo
Eventials.com1.4 millionNo
Wahoofitness.com1.7 millionNo
Sitepoint.com1 millionNo
Clickindia.com 8 millionNo
Juspay.in 100 millionYes
Knockcrm.com 6 millionYes
Mindful.org1.7 millionYes
Bigbasket.com 20 millionYes
Reddoorz.com 5.8 millionYes
Hybris.com (SAP.com)4 millionSAP client data
Wedmegood.com1.3 millionYes
Wongnai.com 4.3 millionYes
Geekie.com.br 8.1 millionYes
Accuradio.com2.2 millionYes
Everything5pounds.com2.9 millionYes
Cermati.com2.9 millionYes
Netlog.com (Twoo.com)53 millionYes
Reverbnation.com 7.8 millionYes
Fotolog.com33 millionYes
Pizap.com60 millionYes
ModaOperandi.com1.2 millionYes
Singlesnet.com 16 millionYes

Responses from companies

After learning about this forum post, BleepingComputer reached out to
the companies that have not been previously disclosed in the past.

MyON confirmed that their systems was breached but stated that
student's private data was not exposed.

"In July 2020 we were made aware of a bad actor trying to sell
portions of our data on the dark web.  We immediately began
investigating to shut down any continued threats to our data or the
data of our customers.  We were then able to confirm that according to
federal and state privacy laws, no confidential student or customer
data was compromised, and this incident did not rise to the level of
an actual breach of student private data."

"We are committed to the protection of the privacy of our user’s and
customer’s data and have instituted supplemental protections in
addition to our standard information security measures.  Additional
information about those efforts is outlined in our information
Security  Overview and our online Privacy Hub at
https://www.renaissance.com/privacy/," MyON told BleepingComputer via
email.

>From the samples seen of the MyON data breach, the exposed information
consisted of login names, BCrypt hashed passwords, and names.

In an email to BleepingComputer, Chqbook.com claims that they were not breached.

"There has been no data breach and no information belonging to our
customers has been compromised. Data security is a key priority area
for us and we conduct periodic security audits to ensure the safety of
our customers’ information," Chqbook told BleepingComputer.

BleepingComputer has emailed some of the users listed in the Chqbook
sample to confirm if the data belongs to them.

Finally, TeeSpring told us that they are investigating whether they
have been breached.

What should users of these sites do?

Other than MyON and Chqbook's statements, it has not been confirmed if
the other six companies have suffered a data breach.

Historically, sold data breaches like this tend to be legitimate, and
companies soon disclose them after the new becomes public.

For now, if you have an account at any of the sites listed above, it
is strongly suggested that you change your password to a strong and
unique one used only at that site.

If the same password has been used at other sites, change your
password to a unique one there as well.

BleepingComputer recommends using a password manager to keep track of
strong and unique passwords at sites you have accounts.