Hackers have released private details of around one million people in a major credit card data breach.
The breach appears to be part of a ‘giveaway’ promoting a new underground site run by the criminal group called AllWorldCards.
According to security SaaS provider Cyble, the cards, which are from 2018/19, are now available for sale on the hacker forum, with 20% still technically valid.
Researchers found the released data includes names, expiry dates, CVV numbers, postcodes, and email addresses, as well as other private information on card owners.
Additionally, almost all the cards had a visible valid Bank Identification Number (BIN) associated with an issuer.
Hundreds of banks worldwide are affected by the breach, including major US bank JP Morgan and British bank Barclays.
The breach also appears to have affected some customers in Scotland, with 164 cards from Bank of Scotland and 648 from The Royal Bank of Scotland also being released.
Cyble suggested, as the first line of defence, that users change all passwords to “tough-to-guess” versions, as well as keeping an eye on future financial transactions.
The Cyble researchers also imported the collected data onto their AmIBreached service to allow users to check if their cards were part of the breach.
Hackers are increasingly using ‘carding’ to gain access to credit card details, where bots are used to test lists of recently stolen credit card and debit card details on merchant sites.
Criminals are then able to use information from stolen credit cards to buy products, or more commonly, purchase gift cards that can be exchanged for goods and are difficult to trace.
AllWorldCards are selling the details for between $0.30 and $14.40, with almost three quarters (73%) costing between $3.00 and $5.00.
The cyber-criminal group is looking to become a big player on the hacker scene, and this one million free dump will be appreciated by threat actors.
- Comment | Security metrics made easy
- Huawei suffers biggest revenue fall as sanctions bite
- Contributed | Five ways to protect against third-party data breaches
Commenting on the breach, Felix Rosbach, product manager at data-security specialists comforte AG, said that users must be careful as card data is some of the most sensitive we have.
“Fraud is easy to commit with stolen credit card information. Therefore threat actors releasing one million credit cards for free creates a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer or a merchant in the network was actually the target of a breach,” Rosbach said.
“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup.
“Implementing data-centric security, which means focusing on data protection at the earliest possible point and de-protecting it only when absolutely necessary, is crucial to minimize the impact of a breach for enterprises.”
This card dump is the latest in several high-profile data breaches that have happened so far this year.
In April social media giant Facebook announced the leaking of data on 500 million of its users, including phone numbers, locations, birthdates, Facebook IDs, full names, and email addresses.
The breach was so major, Ireland’s Data Protection Commission announced that it intended to start an investigation to discover the origins of the breach.