Pandabuy confirms crooks nabbed data on 1.3M punters

Ecommerce platform Pandabuy has apologized after two cybercriminals were spotted hawking personal data belonging to 1.3 million of its customers.

A user with the alias Sanggiero originally advertised the data for sale on a cybercrime forum, saying the information spans nearly 3 million rows on a spreadsheet. It allegedly includes user IDs, full names, phone numbers, email addresses, IP addresses, home addresses, and order data.

Pandabuy is a China-based shipping platform that allows customers to purchase goods directly from Chinese vendors, essentially a middleman service with the idea that it saves consumers time and money on the same goods they would otherwise buy at established retailers.

The data stolen from the company was made available for download on March 31 and security experts raced to verify the authenticity of the leak the following day, with Microsoft's Troy Hunt confirming via his HaveIBeenPwned (HIBP) breach database that 1.3 million unique email addresses were compromised.

Using a snippet of the data posted by Sanggiero, Hunt was able to verify that some of the email addresses included in the leak were genuine, and were stored by Pandabuy. A little more than a third (35 percent) were already in the HIBP database.

"Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it's very clear the user data did indeed come from Pandabuy," Hunt xeeted.

"Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails."

Within hours, Pandabuy addressed the incident via its official Discord channel in a lengthy statement, fessing up to the data blunder and blaming cybercriminals for bypassing its security controls.

Pandabuy didn't directly address the quantity or nature of the data involved, other than to say that financial information wasn't implicated after analyzing what was leaked, but did label the incident as a "data breach" that was carried out by a "hacker organization."

• INC Ransom claims responsibility for attack on NHS Scotland
• Tech trade union confirms cyberattack behind IT, email outage
• Vans claims cyber crooks didn't run off with its customers' financial info
• Yacht dealer to the stars attacked by Rhysida ransomware gang

Neither did Pandabuy detail how the breach was allowed to occur, other than vague references to "system vulnerabilities" being fixed and its systems being thoroughly investigated after detecting the breach, eliminating "all possible hidden dangers."

Customers have been urged to remain vigilant to any misinformation and follow-on attacks following the data breach, and were also assured that their accounts were safe.

As some sort of olive branch, sellers were offered a 10 percent discount on all costs associated with shipping products to buyers, which can be used on an unlimited basis for one month, along with repeated apologies.

Naturally, this cash-for-gaffe offer doesn't appear to have been received very well by the community. The sentiment of users across social media is generally negative and the most-used emoji reaction to the official statement was the middle finger.

Speed saved face

The reaction among customers could have been even worse if instead of providing a quick admission as it did, questionable apology discount aside, Pandabuy continued with its initial approach, which users claim tried to silence discussions related to the breach.

One user alleged Pandabuy's Discord team implemented a blacklist of words to quell discussion of the data breach. If the claims are true, the blacklist was implemented clumsily since it blocked messages that mentioned "breach" from appearing on the Discord channel, but not those that mentioned "breached."

Between the apparent blacklist implementation and the official announcement, Discord admins were also seen trying to deflect from the situation, instructing users not to spread rumors to cause panic.

Pandabuy's Reddit community also allegedly went into a state where moderators had to approve each and every new post, which again appears to be an attempt to stop word of the incident from spreading.

At the time of writing Pandabuy's Reddit page, which has 415,000 members, doesn't host a single discussion thread about the data breach.

China and stifling freedom of expression – who would have thought it? ®