Pierluigi Paganini
April 02, 2024
At least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of more than 1.3 million customers on a cybercrime forum.
The member of the BreachForums ‘Sanggiero’ announced the leak of data allegedly stolen by exploiting several critical vulnerabilities in Pandabuy’s platform and API. Sanggiero said that he breached the platform with another threat actor named ‘IntelBroker.’
PandaBuy has been breached by Threat Actors operating under the names "Sanggiero" and "IntelBroker". Exfiltrated data includes:
— vx-underground (@vxunderground) April 1, 2024
– UserId
– First name
– Last name
– Phone number
– Login Ip
– Full address
– Order information
Breach patrons are relatively excited pic.twitter.com/Gg0HLEMSj1
Stolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, and Country.
“In April 2024, almost 3M+ rows of data from the store company Pandabuy was posted to a popular hacking forum. The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website. The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on. The website was breached by @Sanggiero and @IntelBroker.” reads the announcement published by BreachForums.
The data is available for sale on the cybercrime forum, Sanggiero published a sample as proof of the data breach.
Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it's very clear the user data did indeed come from Pandabuy. Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails. pic.twitter.com/8Y9nwPArhC
— Troy Hunt (@troyhunt) April 1, 2024
PandaBuy has yet to disclose the security breach, Hunt confirmed he is seeing allegations of them trying to hide the incident.
Comments captured by someone else, certainly looks like they know something has happened pic.twitter.com/1ZXSE12xwJ
— Troy Hunt (@troyhunt) April 1, 2024
A company representative said on a Discord channel that the security breach took place in the past, he also added that the company security team said no data breach took place this year.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
