Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

PandaBuy data breach allegedly impacted over 1.3 million customers

Threat actors claimed the hack of the PandaBuy online shopping platform and leaked data belonging to more than 1.3 million customers. At least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of more than 1.3 million customers on a cybercrime forum. The member of the BreachForums ‘Sanggiero’ announced […]

PandaBuy

Threat actors claimed the hack of the PandaBuy online shopping platform and leaked data belonging to more than 1.3 million customers.

At least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of more than 1.3 million customers on a cybercrime forum.

The member of the BreachForums ‘Sanggiero’ announced the leak of data allegedly stolen by exploiting several critical vulnerabilities in Pandabuy’s platform and API. Sanggiero said that he breached the platform with another threat actor named ‘IntelBroker.’

Stolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, and Country.

“In April 2024, almost 3M+ rows of data from the store company Pandabuy was posted to a popular hacking forum. The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website. The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on. The website was breached by @Sanggiero and @IntelBroker.” reads the announcement published by BreachForums.

The data is available for sale on the cybercrime forum, Sanggiero published a sample as proof of the data breach.

HIBP founder Troy Hunt confirmed that 1.3 million email addresses are valid, the remaining addresses are duplicates. Hunt added the leaked addresses to HIBP, users can check if they have been impacted in the incident.

PandaBuy has yet to disclose the security breach, Hunt confirmed he is seeing allegations of them trying to hide the incident.

A company representative said on a Discord channel that the security breach took place in the past, he also added that the company security team said no data breach took place this year.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)