A threat actor known as Sanggiero has claimed responsibility for a data breach affecting the UK-based e-commerce platform PandaBuy.
The threat actor, who operates on BreachForums, posted an advertisement offering more than 17 million user records for sale. The announcement of PandaBuy data breach comes after Sanggiero partially shared PandaBuy’s data on March 31, 2024.
PandaBuy, a Chinese online marketplace known for selling counterfeit products, has over one million downloads on Google Play Store and 2.95k reviews.
According to the TA’s post on the breach fourm, the compromised data includes first name, last name, user ID, email address, order data, order ID, login IP address, country, name of the employee, and hashed password.
To prove the authenticity of the breach, Sanggiero shared a screenshot of the compromised JSON file and the total number of records. The hacker claims the data was obtained by exploiting critical vulnerabilities in PandaBuy’s platform and plans to publicly disclose these weaknesses on their blog soon.
I would also explain on my blog all the vulnerabilities which have not yet been fixed by PandaBuy,” the hacker stated.
PandaBuy Data Breach: Threat Actor Set a Price Tag
Sanggiero is offering the complete database for a price of $40,000. The hacker’s post read, “We sell the whole database of PandaBuy. Indeed, you will have seen a few months ago we partially disclosed PandaBuy data. Now we sell all of the data that include 17 millions of lines on users for a price of $40,000.”
In addition to the ransom, Sanggiero warned of disclosing the names of PandaBuy employees along with their passwords, which are encoded in base-64. The post also left an open invitation for PandaBuy to resume negotiations to prevent further disclosures.
“The names of the employees will also be disclosed with their passwords (encoded in base-64). If PandaBuy wants to resume negotiations, they are welcome. No more time to waste.”
PandaBuy Legal Troubles
This data breach adds to the growing list of troubles for PandaBuy. In April 2024, Chinese authorities targeted the platform for supplying counterfeit goods. Police raided its warehouses, which held millions of packages destined for overseas buyers.
The crackdown involved more than 200 public security branch officers, 50 private sector investigators, and local police. The raids led to the detention of over 30 people and the seizure of millions of parcels, including hundreds of thousands of fake branded sports shoes.
Prior to this, PandaBuy faced legal action from 16 brands over copyright infringement. The Hangzhou office and several warehouses of PandaBuy were raided, resulting in significant legal and reputational challenges for the company.
The investigation, first publicized by World Trademark Review, was carried out in cooperation with the City of London police and several intellectual property protection firms, including Corsearch, Rouse, and Rouse’s China-based strategic partner Lusheng Law Firm.
What This Means for PandaBuy Users
For PandaBuy users, this alleged data breach is a serious concern. The compromised data includes sensitive personal information that could be used for identity theft, phishing attacks, and other malicious activities. Users are advised to:
- Change their PandaBuy passwords immediately.
- Monitor their email accounts for suspicious activity.
- Be wary of phishing emails or messages that may try to exploit the stolen data.
Additionally, PandaBuy users should consider using two-factor authentication (2FA) for their accounts to add an extra layer of security.
Looking Ahead
For PandaBuy, the road to recovery will be challenging. The company not only needs to address the security flaws that led to the alleged PandaBuy data breach but also rebuild trust with its users and partners. The ongoing legal battles over counterfeit goods add another layer of complexity to their situation.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.