Nearly four million users of an online collectables marketplace have had their credentials leaked and shared on hacking forums.
Security researchers at Risk Based Security revealed the breach on Friday and confirmed that sensitive information has been circulated on a “prominent deep web hacking forum”.
Quidd allows users to trade various types of collectables through an online marketplace. The company features digital collectables from hundreds of well-known brands, including Disney and DC Comics.
According to the researchers, the leaked data sets include email addresses, usernames and bcrypt hashed passwords of more than 3.9 million Quidd users.
Researchers said the data sets were likely circulated in early March but were removed. In addition, although the leaked credentials are also not being sold on hacker forums, access to the data is not restricted and is being freely shared.
According to ZDNet, Quidd information could have been traded privately among hacker groups for several months. Ads for the Quidd datasets were allegedly posted on hacking forums and Pastebin as far back as October 2019.
“The compromised data sets were originally posted on March 12th, 2020 and self-attributed to a threat actor named ‘Protag’. However, the files were quickly removed,” Risk Based Security said.
“The data resurfaced on March 29th, 2020 when it was reuploaded by a different user and has since remained available,” the company added.
- Working from home and the impact on data protection
- Travelex paid $2.3m ransom to regain access to computer systems
- Cybercriminals preying on COVID-19 confusion, NCSC warns
Researchers added that one particular threat actor had responded to the data set post to say they had already cracked nearly one million password hashes.
In addition to the leaked Quidd credentials, the datasets appear to contained around one thousand professional email addresses, many of which belonging to employees at a host of well-known companies, including Microsoft, Accenture, Virgin Media, Experian and AIG.
Risk Based Security warned this creates a “notable risk of business email compromise”, as well as potential spear phishing campaigns.