Online store Pandabuy, which aggregates products from Chinese e-commerce platforms, allegedly suffered a data breach on Sunday, impacting 1,348,307 accounts. The leaked data includes user IDs, first and last names, phone numbers, emails, login IPs, full addresses and order details.

The data was allegedly leaked after two threat actors — Sanggiero and IntelBroker — exploited multiple vulnerabilities to breach the company’s systems. Pandabuy’s marketplace allows people globally to access products from Chinese marketplaces, including JD.com, Tmall and Taobao.

While Pandabuy hasn’t issued a statement, it seems to be in damage-control mode. Users allege that the company is trying to censor messages about the breach on its Discord channel. Its Reddit page is also now moderated.

An admin on the company’s Discord channel acknowledged the breach. “The attack was not successful. The user’s personal information has not been disclosed. Our technical department solved the problem as soon as possible,” the admin said in response to a comment on Discord. “

pic.twitter.com/mjidYmfIGu
— Young Stroker the Body Snatcher (@BestAdamDaGoat) April 1, 2024

“No user information was stolen this year. That’s old information. Our technical department has organised and solved this problem in time”, the admin said in response to another comment.

While cybercriminals claimed that the leaked database contained over 3 million email addresses, Have I Been Pwned’s founder, Troy Hunt, tested and confirmed that the database contained over 1.3 million valid email addresses; the rest were temporary emails, aliases, or completely made-up addresses.

In the News: LayerSlider bug potentially affects a million WordPress websites

PandaBuy has been breached by Threat Actors operating under the names "Sanggiero" and "IntelBroker". Exfiltrated data includes:

– UserId
– First name
– Last name
– Phone number
– Email
– Login Ip
– Full address
– Order information

Breach patrons are relatively excited pic.twitter.com/Gg0HLEMSj1
— vx-underground (@vxunderground) April 1, 2024

According to BleepingComputer, the data was stolen by exploiting critical vulnerabilities in Pandabuy’s API and gaining access to the platform’s internal services courtesy of other bugs.

The leaked data is available on a forum in exchange for a blockchain payment. Unregistered members can also peruse a sample database file.

To be safe, those with a Pandabuy account should reset their password.

In the News: AT&T confirms 2021 breach; changes 7.6 million customer passcodes