Data belonging to more than 1.3 million customers of the PandaBuy online shopping platform has been leaked, allegedly after two threat actors exploited multiple vulnerabilities to breach systems.
PandaBuy allows international users to purchase products from various e-commerce platforms in China, including Tmall, Taobao, and JD.com.
Yesterday, a threat actor named ‘Sanggiero’ claimed a breach on PandaBuy, allegedly performed together with another threat actor called ‘IntelBoker.’
“The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website,” the threat actor said.
“The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on.”
According to data breach aggregation service Have I Been Pwned (HIBP), 1,348,407 PandaBuy accounts have been exposed in the breach.
The details of PandaBuy shoppers were leaked on a forum and can be obtained by any registered members in exchange for a symbolic payment in cryptocurrency.
To prove to unregistered members that the information is valid, the threat actor provides a small sample containing email addresses, customer names, order numbers and details, shipping addresses, transaction dates and times, and payment IDs.
Troy Hunt, the creator of HIBP, tested password reset requests using the leaked addresses and confirmed that at least 1.3 million email addresses are valid and come from PandaBuy. The rest are made-up and duplicate addresses, so the “3 million” figure was inflated by the threat actors.
PandaBuy has not made any statements about the data breach. According to some reports, the company is trying to conceal the incident by censoring user posts on Discord and Reddit.
A company representative with an administrator role on the Discord channel said that a security incident had occurred in the past and that the leaked data was old and that the platform’s security team had responded to the issue promptly.
If you have an account on PandaBuy, it is strongly recommended to reset your password. Also, remain vigilant for scam attempts and treat unsolicited communications with suspicion.
PandaBuy user data has been added to HIBP and subscribers to the service should have received an email informing them of the leak.