Data breach trader selling records leaked from 26 companies: Includes the Massive Credit Card Leak in India, 100 Credit and Debit Cardholders are affected

Massive Credit Card Leak Dark Web Data Breach

During our threat intelligence hunt, we stumble upon different contents, especially those of the Dark Web. There are numerous surprises because no one can really tell which of the breaches are critical and impacting until you know what is inside. One perfect example is a data breach broker within a notorious forum posted his collection of databases for a fee.

 

Data breach trader sells records from 26 companies image 1

 

 

Here is an outline of the text format of the post:

Breached Business Affected Lines Password format Date of Breach
Juspay.in  100 million  No Password  2020-08
Teespring.com  8,2 million  SHA1-Salted  2020-06
MyON.com  13  million  Bcrypt  2020-06
Knockcrm.com  6  million  PBKDF2-SHA256  2020-04
Mindful.org  1,7 million  Bcrypt  2020-01
Clickindia.com   8  million  MD5  2020-08
Chqbook.com  1  million  Bcrypt  2020-08
Bigbasket.com  20  million  SHA1-Salted  2020-10
Reddoorz.com  5,8 million  Bcrypt   2020-09
Hybris.com (SAP.com)  4  million  MD5-Salted and PHPass  2020-01
Wedmegood.com  1,3 million  SHA512  2020-09
Wongnai.com  4,3 million  MD5  2020-09
Geekie.com.br  8,1 million  Bcrypt  2020-08
Anyvan.com  4,1 million  MD5 and Bcrypt  2020-09
Accuradio.com  2,2 million  PBKDF2-SHA256  2019-02
Everything5pounds.com  2,9 million  SHA1-Salted and PHPass  2020-09
Cermati.com  2,9 million  Bcrypt  2020-01
Netlog.com (Twoo.com)  53  million  Plaintext  2012-11
Reverbnation.com  7,8 million  SHA1-Salted  2014-04
Fotolog.com  32  million  SHA256-Salted  2018-12
Pizap.com  60  million  No Password  2018-05
ModaOperandi.com  1,2 million  Bcrypt and SHA1-Salted  2019-03
Eventials.com  1,4 million  PBKDF2-SHA256  2020-10
Wahoofitness.com  1,7 million  Bcrypt  2020-07
Sitepoint.com  1  million  Bcrypt  2020-06
Singlesnet.com  16  million  Plaintext  2012-09

 

All websites breached contain useful information from email addresses up to personally identifiable information. However, the member who posted the contents for sale is new to the forums. Therefore, we cannot 100% say that all of them are verified. Yet, for threat actors, these are opportunities for phishing intelligence operations. Nonetheless, the money that can be made from these leaked pieces of information is likely to be profitable if done right. What is outstanding from the list is the leak on Juspay.in.

 

Juspay data breach is about 100 Million cardholders’ Data Leaked

The data contained in the Juspay breach should alarm financial institutions in India because here are the following details based on the SQL query are available:

  1. DROP TABLE IF EXISTS `stored_card`;
  2. /*!40101 SET @saved_cs_client = @@character_set_client */;
  3. /*!40101 SET character_set_client = utf8 */;
  4. CREATE TABLE `stored_card` (
  5. `id` varchar(64) NOT NULL,
  6. `version` bigint(20) NOT NULL,
  7. `card_brand` varchar(20) DEFAULT NULL,
  8. `card_exp_month` varchar(2) NOT NULL,
  9. `card_exp_year` varchar(4) NOT NULL,
  10. `card_fingerprint` varchar(64) DEFAULT NULL,
  11. `card_isin` varchar(6) NOT NULL,
  12. `card_issuer` varchar(64) DEFAULT NULL,
  13. `card_last_four_digits` varchar(4) NOT NULL,
  14. `card_reference` varchar(64) NOT NULL,
  15. `card_token` varchar(64) DEFAULT NULL,
  16. `card_token_of_vault_provider` varchar(64) DEFAULT NULL,
  17. `card_type` varchar(20) DEFAULT NULL,
  18. `customer_id` varchar(128) NOT NULL,
  19. `date_created` datetime NOT NULL,
  20. `last_updated` datetime NOT NULL,
  21. `masked_card_number` varchar(32) NOT NULL,
  22. `merchant_account_id` bigint(20) NOT NULL,
  23. `name_on_card` varchar(255) DEFAULT NULL,
  24. `nickname` varchar(255) DEFAULT NULL,
  25. `vault_provider` varchar(32) NOT NULL,
  26. `card_global_fingerprint` varchar(64) DEFAULT NULL,
  27. `metadata` text,
  28. PRIMARY KEY (`id`),
  29. UNIQUE KEY `id` (`id`),
  30. KEY `FKAED8DE2C37947956` (`merchant_account_id`),
  31. KEY `card_token` (`card_token`),
  32. KEY `customer_id` (`customer_id`),
  33. KEY `card_global_fingerprint_idx` (`card_global_fingerprint`),
  34. KEY `card_reference_idx` (`card_reference`)
  35. ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
  36. /*!40101 SET character_set_client = @saved_cs_client */;

 

Our source of the above data came from the Data Broker himself. According to our threat intelligence team, numerous financial institutions, particularly banks issuing credit and debit cards, are affected. For privacy reasons, we cannot release the list of affected banks and individuals publicly on this advisory.

 

iZOOlogic thinks that recovering this data is essential

iZOOlogic thinks that recovering this data is essential, especially for affected institutions with the data breach. Why? As these data passes on to threat actors and malicious blackhats, the higher the chances that their customers and brand reputation will be affected. The information that comes with the breach when possessed by a brilliant adversary may lead to severe repercussions. These can be used for more future data breaches, identity fraud, and carding activities that may involve unauthorized transactions. We generally do not encourage companies to buy from Data Breach Brokers, but recovering them as early as possible will help you secure the data by identifying the compromised data and avoid any chargeback complaints from your customers as a result of this breach. In other words, once you have the lead of those that got compromised, you can take further action before any adversary takes advantage of those data. It is a race between multiple adversaries and the business that are affected.

 

About the author

iZOOlogic

Leave a Reply