Cybercriminals collectively leaked some 50 million records containing sensitive personal information in the days leading up to Christmas.
Many of the leaks, on the Dark Web, carried the tag “Free Leaksmas” suggesting that the threat actors behind them were sharing their data with other criminals as a form of mutual gratitude and in a bid to attract new customers during the busy holiday season.
Happy “Leaksmus”
That’s the assessment of cybersecurity firm Resecurity after its researchers spotted several threat actors releasing substantial data dumps nearly simultaneously on and just before Christmas Eve. Some of the data appeared to be from past data breaches but several of the other dumps were from new breaches, stolen, or copied from users all around the world.
“Cybercriminals dealing in stolen payment data also viewed the Christmas season as an opportune time to attract new buyers by offering discounts,” Resecurity said in a report last week. “Some underground shops provided substantial markdowns, with discounts reaching up to 40% on compromised online banking and ecommerce accounts.”
One of the biggest data dumps came from a breach at Peruvian telecom provider Movistar. The dataset included some 22 million records containing protected data including customer phone numbers and DNI numbers (Documento Nacional de Identidad, the primary identification document for the country’s residents. Other large Leaksmas datasets included one containing 2.5 million records associated with customers of a Vietnamese fashion retailer and one with some 1.5 million records belonging to customers of a French company.
Not all the data dumps that Resecurity observed being shared freely over the holidays were from fresh breaches: a few appeared to be from older incidents. One example was data belonging to customers of Swedish fintech company Klarna that the threat actors may have obtained from a rumored — but not officially confirmed — breach back in 2022. Resecurity’s analysis of another data dump, involving 2 million records belonging to customers of a Mexican bank, suggested it may have originated from a breach some time in 2021 or 2022.
“In addition to these individual leaks, the perpetrators also released larger compilations of data, consisting of multiple separate data breaches,” Resecurity reported. “Some of these were extensive packages, known as combo-lists, containing millions of records that included emails and passwords.”
Multiple Known Actors
Resecurity was able to identify several previously known threat actors among those who shared compromised Leaksmus datasets in underground online crime forums over the holiday break.
One of the most prominent of them was SeigedSec, a pro-Iranian hacktivist group that researchers have previously spotted targeting critical infrastructure and industrial control systems environments in Israel in recent months. In November 2023, the group claimed responsibility for a breach at the Idaho National Laboratory where they accessed — and later publicly leaked — sensitive data, including full names, Social Security numbers, addresses, and birthdates belonging to thousands of people.
Another known group that Resecurity spotted freely doling out stolen information was an alliance of multiple hacktivist groups called “Five Families.” The group claimed responsibility for stealing over 1 million records — including system logs and employees’ personal information — from a large Chinese clothing store apparently because of the company’s abusive labor practices and its government connections. In announcing the leak, Five Families promised more of the same activity in the year ahead. “Our organization has a lot planned,” Five Families said in an announcement re-published by Resecurity. “Coming up we are very proud to present all that in the very near future, especially moving forward into 2024 where we have a lot of ideas planned out.”
In keeping with the Christmas spirit, some criminals, such as those selling stolen credit card data and services around loan application fraud and identity theft, offered steep discounts to attract new buyers. “Digital identity continues to be a primary focus for cybercriminals,” Resecurity said. “These malicious actors are actively seeking out sensitive personal identifiable information (PII), exploiting vulnerabilities in insecure Web applications, software applications, and network services.”