Pandabuy Data Breach Exposes Over 1 Million Customers' Information

Pandabuy has been hit by a cyberattack that has exposed over a million users' sensitive data.

The hacker, who goes by “Sanggiero” alongside frequent leaker, “IntelBroker”, announced via the dark web that they had been able to abuse flaws in Pandabuys API.

"The data was stolen by exploiting several critical vulnerabilities in the platform's API and other bugs were identified allowing access to the internal service of the website," the hacker said. "The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on." their post reads.

The data breach aggregation service Have I Been Pwned (HIBP) reports that over 1.3 million PandaBuy accounts were compromised. Troy Hunt, founder of HIBP investigated the Pandabuy data breach by attempting password resets for leaked email addresses. This confirmed that over 1.3 million email addresses were valid Pandabuy accounts.

Thanks to a combination of enumeration vector and the presence of Mailinator addresses, it's very clear the user data did indeed come from Pandabuy. Made-up email addresses are confirmed as non-existent, whilst addresses in the breach successfully get reset emails. pic.twitter.com/8Y9nwPArhC

— Troy Hunt (@troyhunt) April 1, 2024

The leak has exposed Pandabuy customer information on an online forum. The threat actors are offering access to this data for a ‘symbolic’ amount of cryptocurrency.

Pandabuy has yet to release a public statement on the data breach. However, users in the company's Discord server report that the company have apologized for the data breach carried out by a ‘hacker organisation’. 

"As a platform we promise that protecting everyones information is our top priority. We have fixed the system vulnerabilities and thoroughly investigate the system, eliminated all possible hidden dangers and strengthened the monitoring and protection mechanism for unauthorized access," the Discord post continues.

A bolded section at the centre of the long post states:
"Pls don’t worry, your order/parcel/payment information wont be stolen and we promise your account is safe. Also, pls remain vigilant against misinformation as Pandabuy officials will never request user account details or any other sensitive information.”

The statement concludes with a 10% off offer code "as a gesture of goodwill" as an "attempt to mitigate any inconvenience caused by the breach’" The company then states that they are ‘committed to learning from this experience, ensuring better security measures and maintaining the trust you have placed in us.’

The statement has not been received positively in the Pandabuy Discord channel, with multiple users responding with and angry face emojis.

Pandabuy has now confirmed the breach: https://t.co/b6BMeq81LZ

— Troy Hunt (@troyhunt) April 1, 2024

Other users on the company's Discord channel and Reddit page allege that Pandabuy initially blacklisted discussions of the breach to stop information spreading. 

What is Pandabuy?

Pandabuy is an e-commerce service that helps users buy items from China.

They specialize in working with websites which are popular in China but don't typically ship internationally.

What to do if your data has been leaked?

If your information has been exposed in the Pandabuy, or any, data breach the most important thing you can do is change your passwords. This is particularly important for any account linked to your finances. 

After changing your passwords ensure that you set up multi-factor authentication. This adds an extra layer of protection to your accounts, making it much harder for hackers to gain access. Rather than just using a password, MFA requires you to provide two or more pieces of evidence to verify your identity when you log in. Even if threat actors have been able to access your password they will not be able to log in without further authentication.

Read: Top 10 MFA Providers for 2024

Moving forward, be hyper-vigilant about phishing emails. Scammers might use the breach to send emails pretending to be Pandabuy. These emails could trick you into revealing personal information or clicking on malicious links. Don't click on links or attachments in suspicious emails, and be wary of emails urging immediate action.

Finally, make sure to monitor your financial accounts - which is good general practice. Keep an eye out for any unusual activity on your bank statements or credit card accounts. If you notice anything suspicious, report it to your financial institution immediately.