Virtual padlock unlocked showing data breach of ecommerce site

Data Breach Impacts 1.3 Million Pandabuy Customers; Company Apologizes After Apparent Cover-Up

A data breach affecting a popular online shopping platform, Pandabuy, has leaked the personal information of over 1.3 million customers.

The breach surfaced on March 31 after a hacker using the online moniker “Sanggiero,” allegedly assisted by “IntelBroker,” posted the stolen data on the infamous hacking forum BreachForums.

IntelBroker is associated with significant data breaches, including General Electric, T-Mobile, Verizon, AT&T, US Citizenship and Immigration Services (USCIS), and Facebook Marketplace, thus bolstering the claim.

Pandabuy hackers exploited critical API vulnerabilities

The threat actors claimed they leveraged critical vulnerabilities on the ecommerce platform’s API to access internal systems: “The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified, allowing access to the internal service of the website.”

They also allege that the data breach exposed over 3 million records containing user IDs, full names, phone numbers, emails, home addresses, login IPs, order data, and other IDs.

According to the data breach aggregation website Have I Been Pwned (HIBP), the data breach exposed 1,348,407 legitimate Pandabuy accounts. The rest were duplicates or intentionally generated to inflate the figure.

HIBP founder and Microsoft Regional Director Troy Hunt also confirmed the authenticity of the leaked account details and traced them to Pandabuy.

He authenticated the leaked email addresses by initiating password resets and received responses for legitimate ones. At least a third (35%) of the leaked details were in HIBP’s database, suggesting they were already involved in previous data breaches.

“Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it’s very clear the user data did indeed come from Pandabuy,” Hunt Xed. “Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails.”

Meanwhile, the threat actors demand a “symbolic” payment in cryptocurrency to access the compromised database.

“This is a classic case of an unauthenticated API, or the attackers have a way to generate valid tokens for any account,” said Katie Paxton-Fear, API Security Researcher at Traceable AI. “The good news is that PandaBuy provides an option to change passwords via email. Therefore, as long as victims didn’t reuse their passwords for other accounts and their email is secure, it should be okay. This incident underscores the need for rigorous API security practices and a reminder to use unique passwords for different services.”

Pandabuy acknowledges data breach after attempted cover-up

Some social media users believe that the Chinese online shopping platform attempted to conceal the data breach by censoring posts on Discord and Reddit.

Additionally, Pandabuy’s Discord admin claimed the leaked user data was stale and that the online shopping platform’s technical team had already resolved the incident. They also urged Pandabuy Discord server users to stop spreading rumors and causing panic.

“As news of the Pandabuy breach started to get out it was evident that they had been breached in a big way,” said Jason Kent, Hacker In Residence at Cequence Security. “One of the most telling things is that they were able to get order IDs for each order but let me back up a little bit and discuss how these types of things can happen as we have seen this same thing repeat itself over and over.”

However, Pandabuy quickly apologized and acknowledged the data breach after the PR nightmare, claiming the breach was “caused by a hacker organization using illegal technology to break through the platform’s information security.”

The online shopping platform also noted that the incident did not expose personal or financial information, and the company was taking legal measures to force the hacking forum to delete the stolen user data.

Additionally, Pandabuy said it fixed the exploited vulnerabilities, scanned its systems for all possible security flaws, and “strengthened monitoring and protection mechanism for authorized access.” It also advised customers to remain vigilant for phishing attacks as the company staff does not request account login details or sensitive information.

Lastly, Pandabuy offered customers a “10% freight subsidy” for one month, a “gesture of goodwill” that was poorly received by users based on the number of negative emoji reactions.