MILLIONS of user data records from ShopBack and RedDoorz have allegedly been advertised for sale on underground hacker forums, following reported data breaches discovered by the two Singapore-based companies in September. In ShopBack's case, the data offered for sale appears to include cracked passwords.
A post advertising access to user data from ShopBack, a cashback platform, appeared on an underground forum on Dec 6, according to Singapore-based cybersecurity firm Group-IB, which looked into the matter in response to queries from The Business Times.
The seller claimed to have 5.2 million user records, including emails and passwords, and revealed 83,000 lines of dehashed records. Hashing is a security measure that turns passwords into random-looking strings of characters.
"Another user, who posted dehashed ShopBack user data earlier in November, commented on this post and said he could provide 4.4 million of dehashed user records for free in private," said Shawn Tay, senior threat intelligence and attribution analyst at Group-IB. This meant that threat actors appear to have derived plaintext passwords from encrypted versions.
KELA, a cybersecurity firm headquartered in Israel, told BT that 5.7 million plaintext passwords were also made available for download from a website called Hashes.org, though the leak does not contain emails. "It will require some work for (threat actors) to correlate emails and hashed passwords from the original leak with dehashed passwords," the firm said.
The database allegedly related to ShopBack was first uploaded to database sharing forums on Nov 10. One post author said that a hacker group or individual called "ShinyHunters" were the perpetrators of the breach, though this could not be verified, said Group-IB.
ShopBack said it became aware on Nov 13 that a party had made available online its customers' personal data, which was taken during the unauthorised access to its systems in September. The company notified Singapore's Personal Data Protection Commission (PDPC) and updated users via its website.
ShopBack then invalidated unchanged passwords and completed a forced logout that required users to change to a new password. It assured customers that their cashback and credit card details were safe.
A spokesperson told BT that the company has improved the storage of its salted passwords by encrypting using a separately stored "pepper". Salt and pepper are random pieces of data added to passwords before hashing.
Separately, underground forum posts in September and October advertised a database presumably containing 5.8 million user records from RedDoorz, a hotel booking and management platform. The seller shared a database sample of 587 user records, said Group-IB.
The data sale offer was first reported by tech news portal Bleeping Computer on Nov 10. The sample data included details such as emails, hashed passwords, full names, phone numbers and dates of birth, the news site reported.
According to Group-IB, the post was later removed from the forum and the database is no longer available for sale. The group's findings indicated that the same seller advertised the databases of RedMart and Eatigo, though the seller was not involved in the data breaches.
RedDoorz chief executive Amit Saberwal said that the company was notified of a database breach by Cyble, a US-based cyber threat intelligence firm. Cyble wanted RedDoorz to engage its services to resolve the matter; if not, it would expose the details of the breach.
"It was like some guys discovering a burglary in your house, then saying that if you don't engage their services, they will make it public," said Mr Saberwal, who called the request "completely bizarre".
The company refused to agree to Cyble's terms. Mr Saberwal said RedDoorz immediately alerted the relevant country authorities as well as the Federal Bureau of Investigation in the US, where its servers are based. It also issued a public statement of the data breach on Sept 26.
Most of the compromised user data came from RedDoorz's largest market of Indonesia, said Mr Saberwal. About 200,000 records, comprising less than 1 per cent of the database, were from Singapore.
RedDoorz appeared to be one of the companies dragged into Cyble's modus operandi that involves seeking out victims of data breaches and offering to fix the issue, online news publication The Ken reported on Nov 17. If the victim does not bite, the consequences amount to public shaming, the news site wrote.
Companies approached by Cyble have reportedly included Indian online grocer BigBasket and payments startup Juspay. In response to queries from The Ken, Cyble denied that it only agrees to help companies that pay for its services.
Data breaches have become a more pressing issue as tech firms grow larger and traditional businesses digitalise. Events management tech firm Peatix, for one, was among the latest victims of an unauthorised access to its systems.
The company said it was alerted to the breach on Nov 9. The breach involved user details such as names, email addresses, and salted and hashed versions of passwords, Peatix said in an announcement on its website on Nov 17.
A separate announcement issued in Japanese stated that up to 6.77 million users had their details compromised. Peatix declined to comment on the number of Singapore users affected. It said its teams were investigating and responding to the incident. A PDPC spokesperson said the commission is aware of the incident and has reached out to Peatix Asia Pte Ltd for more information.
Peatix advised users to reset their passwords and watch out for suspicious correspondence requesting personal information. Bad actors could pose as Peatix or try to access other websites or apps on which users have used the same passwords.
Group-IB's Mr Tay said that to avoid such breaches, companies that process user information need to put in place advanced threat hunting and intelligence solutions that can detect targeted attacks and monitor for leaked credentials.
"However, users also need to follow basic cyber hygiene practices. Using the same password for different websites is definitely a bad idea," he said. "Multifactor authentication, where possible, is a must too."