Security

Cyber-crime

Pandabuy confirms crooks nabbed data on 1.3M punters

Nothing says 'sorry' like 10 percent off shipping for a month


Ecommerce platform Pandabuy has apologized after two cybercriminals were spotted hawking personal data belonging to 1.3 million of its customers.

A user with the alias Sanggiero originally advertised the data for sale on a cybercrime forum, saying the information spans nearly 3 million rows on a spreadsheet. It allegedly includes user IDs, full names, phone numbers, email addresses, IP addresses, home addresses, and order data.

Pandabuy is a China-based shipping platform that allows customers to purchase goods directly from Chinese vendors, essentially a middleman service with the idea that it saves consumers time and money on the same goods they would otherwise buy at established retailers.

The data stolen from the company was made available for download on March 31 and security experts raced to verify the authenticity of the leak the following day, with Microsoft's Troy Hunt confirming via his HaveIBeenPwned (HIBP) breach database that 1.3 million unique email addresses were compromised.

Using a snippet of the data posted by Sanggiero, Hunt was able to verify that some of the email addresses included in the leak were genuine, and were stored by Pandabuy. A little more than a third (35 percent) were already in the HIBP database.

"Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it's very clear the user data did indeed come from Pandabuy," Hunt xeeted.

"Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails."

Within hours, Pandabuy addressed the incident via its official Discord channel in a lengthy statement, fessing up to the data blunder and blaming cybercriminals for bypassing its security controls.

Pandabuy didn't directly address the quantity or nature of the data involved, other than to say that financial information wasn't implicated after analyzing what was leaked, but did label the incident as a "data breach" that was carried out by a "hacker organization."

Neither did Pandabuy detail how the breach was allowed to occur, other than vague references to "system vulnerabilities" being fixed and its systems being thoroughly investigated after detecting the breach, eliminating "all possible hidden dangers."

Customers have been urged to remain vigilant to any misinformation and follow-on attacks following the data breach, and were also assured that their accounts were safe.

As some sort of olive branch, sellers were offered a 10 percent discount on all costs associated with shipping products to buyers, which can be used on an unlimited basis for one month, along with repeated apologies.

Naturally, this cash-for-gaffe offer doesn't appear to have been received very well by the community. The sentiment of users across social media is generally negative and the most-used emoji reaction to the official statement was the middle finger.

Speed saved face

The reaction among customers could have been even worse if instead of providing a quick admission as it did, questionable apology discount aside, Pandabuy continued with its initial approach, which users claim tried to silence discussions related to the breach.

One user alleged Pandabuy's Discord team implemented a blacklist of words to quell discussion of the data breach. If the claims are true, the blacklist was implemented clumsily since it blocked messages that mentioned "breach" from appearing on the Discord channel, but not those that mentioned "breached."

Between the apparent blacklist implementation and the official announcement, Discord admins were also seen trying to deflect from the situation, instructing users not to spread rumors to cause panic.

Pandabuy's Reddit community also allegedly went into a state where moderators had to approve each and every new post, which again appears to be an attempt to stop word of the incident from spreading.

At the time of writing Pandabuy's Reddit page, which has 415,000 members, doesn't host a single discussion thread about the data breach.

China and stifling freedom of expression – who would have thought it? ®

Send us news
Post a comment

Europol confirms incident following alleged auction of staff data

Intelligence-sharing platform remains down for maintenance

Cybercriminals hit jackpot as 500k+ Ohio Lottery lovers lose out on their personal data

Not a lotto luck for these powerball hunters

One year on, universities org admits MOVEit attack hit data of 800K people

Nearly 95M people in total snagged by flaw in file transfer tool

Microsoft's Brad Smith summoned by Homeland Security committee over 'cascade' of infosec failures

Major intrusions by both China and Russia leave a lot to be answered for

Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

British Library's candid ransomware comms driven by 'emotional intelligence'

It quickly realized ‘dry’ progress updates weren’t cutting it

Three cuffed for 'helping North Koreans' secure remote IT jobs in America

Your local nail tech could be a secret agent for Kim’s cunning plan

NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

When PoC code is released within a day of disclosure, it's only a matter of time before attacks kick off

UK opens investigation of MoD payroll contractor after confirming attack

China vehemently denies involvement

Uncle Sam urges action after Black Basta ransomware infects Ascension

Emergency ambulances diverted while techies restore systems

Encrypted mail service Proton hands suspect's personal info to local cops

Plus: Google patches another Chrome security hole, and more

US faith-based healthcare org Ascension says 'cybersecurity event' disrupted clinical ops

Sources claim ransomware is to blame