Major threat actors have leaked the data of more than 1.3 million customers of PandaBuy, a platform that lets you make purchases from multiple Chinese-based e-commerce websites at once.
The company said three-plus million rows of data were obtained by at least two threat actors. One of these two, Saggiero, posted on the online hacking website BreackForums that they obtained a massive quantity of sensitive customer data and that they’d post it soon.
“The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website,” he posted.
The stolen data includes user IDs, passwords, full names, IP addresses, home addresses, and more concerningly, full customer order data. While it’s not completely certain that Saggiero and his accomplice have obtained this much data, the hacker posted a data sample on the forum to lend credibility to his claims.
Cybersecurity researchers have since confirmed that the leaked data came from PandaBuy.
An accomplice, IntelBroker, is infamous for a series of major data breaches on companies like Meta (Facebook) and the US Citizenship and Immigration Services (USCIS).
“Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it’s very clear the user data did indeed come from Pandabuy. Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails,” said security consultant Troy Hunt.
The stolen data is being sold for cryptocurrency, which caused a spark in the hacking community. Researchers captured conversations happening between hackers on social media sites like Telegram, Discord, and X.
“Panda buy got breached/.”
Since there is a lot of credibility to the stolen data and hackers are buzzing at the opportunity to purchase it, make sure you immediately rotate your PandaBuy passwords.