Report: 1.3 Million PandaBuy Customers Data Exposed In Breach

Tyler Cross
Tyler Cross Senior Writer
Published on: April 4, 2024
Tyler Cross Tyler Cross
Published on: April 4, 2024 Senior Writer

Major threat actors have leaked the data of more than 1.3 million customers of PandaBuy, a platform that lets you make purchases from multiple Chinese-based e-commerce websites at once.

The company said three-plus million rows of data were obtained by at least two threat actors. One of these two, Saggiero, posted on the online hacking website BreackForums that they obtained a massive quantity of sensitive customer data and that they’d post it soon.

“The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website,” he posted.

The stolen data includes user IDs, passwords, full names, IP addresses, home addresses, and more concerningly, full customer order data. While it’s not completely certain that Saggiero and his accomplice have obtained this much data, the hacker posted a data sample on the forum to lend credibility to his claims.

Cybersecurity researchers have since confirmed that the leaked data came from PandaBuy.

An accomplice, IntelBroker, is infamous for a series of major data breaches on companies like Meta (Facebook) and the US Citizenship and Immigration Services (USCIS).

“Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it’s very clear the user data did indeed come from Pandabuy. Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails,” said security consultant Troy Hunt.

The stolen data is being sold for cryptocurrency, which caused a spark in the hacking community. Researchers captured conversations happening between hackers on social media sites like Telegram, Discord, and X.

“Panda buy got breached/.”

Since there is a lot of credibility to the stolen data and hackers are buzzing at the opportunity to purchase it, make sure you immediately rotate your PandaBuy passwords.

About the Author
Tyler Cross
Tyler Cross
Senior Writer
Published on: April 4, 2024

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."

Leave a Comment