Chinese shopping platform Pandabuy told BleepingComputer it previously paid a a ransom demand to prevent stolen data from being leaked, only for the same threat actor to extort the company again this week.
PandaBuy is an online platform that acts as an intermediary between customers and various Chinese e-commerce websites, including Tmall, Taobao, and JD.com, which don’t ship internationally.
The service allows users to purchase products from these websites, which are often cheaper or have unique items not available elsewhere, and have them shipped to their location.
On March 31, 2024, a threat actor using the alias ‘Sanggiero’ published 3 million rows of data stolen from PandaBuy on BreachForums, exposing customer names, phone numbers, email addresses, login IP addresses, home addresses, and order details.
The threat actor claimed they managed to steal that data by exploiting several critical vulnerabilities in the PandaBuy API.
This data was shared with the data breach notification service Have I Been Pwned (HIBP), which added 1.35 million email addresses from this incident to its system.
At the time, Pandabuy opted not to make any public statements, and there were even reports of the firm attempting to censor customer reports on Discord and Reddit.
New claims and denial
On June 3, 2024, the same threat actor offered to sell what he claimed was the entire database he previously stole from Pandabuy for $40,000.
This database allegedly contains 17 million rows, indicating a much larger data set.
Sanggiero did not provide evidence of additional customer data in the form of samples but uploaded screenshots showing sensitive employee information such as emails and passwords.
A Pandabuy spokesperson admitted to BleepingComputer that they had paid the hacker an undisclosed amount to stop the data leak, adding that the threat actor may have shared the data with others, so they would no longer cooperate with him.
“At present, we cannot continue to pay the hacker fees due to the frozen funds, and the data he leaked is the same as the last one. We have confirmed with the technical department that all the loopholes have been fixed at the time of the first leak incident. And for all we know, he secretly sold our data to other agents after he made the deal with us. We can not cooperate with him in the future.“
❖ Pandabuy
BleepingComputer reached out to Sanggiero about the company’s statement but has not heard back at this time.
For now, it is better to take an abundance of caution and be on the lookout for unsolicited messages from people claiming to be Pandabuy, which may be a phishing attempt to gather additional personal nformation.
If you have not previously reset your password at Pandabuy, it is strongly advised that you do so now, in case additional data was stolen, as the threat actor claims.