Chinese shopping platform PandaBuy informed BleepingComputer that it had previously paid a ransom to prevent stolen data from being leaked, only to face a second extortion attempt from the same threat actor this week.
PandaBuy serves as an intermediary between customers and several Chinese e-commerce websites, such as Tmall, Taobao, and JD.com, which do not offer international shipping.
The platform enables users to buy products from these websites, which often feature lower prices or unique items not available elsewhere, and have them shipped to their location.
On March 31, 2024, a threat actor using the alias ‘Sanggiero’ published 3 million rows of data stolen from PandaBuy on BreachForums, exposing customer names, phone numbers, email addresses, login IP addresses, home addresses, and order details.
The threat actor claimed to have stolen the data by exploiting several critical vulnerabilities in the PandaBuy API.
This data was shared with the data breach notification service Have I Been Pwned (HIBP), which added 1.35 million email addresses from this incident to its system.
At the time, PandaBuy chose not to make any public statements and reportedly attempted to censor customer reports on Discord and Reddit.
New claims and denial
On June 3, 2024, the same threat actor, Sanggiero, offered to sell what he claimed was the entire database previously stolen from PandaBuy for $40,000.
This database allegedly contains 17 million rows, indicating a much larger data set.
Although Sanggiero did not provide evidence of additional customer data in the form of samples, he uploaded screenshots showing sensitive employee information such as emails and passwords.
New claim from the original threat actor
Source: BleepingComputer
A PandaBuy spokesperson admitted to BleepingComputer that they had paid the hacker an undisclosed amount to prevent the data leak. However, they added that the threat actor may have shared the data with others, so they would no longer cooperate with him.
“At present, we cannot continue to pay the hacker fees due to the frozen funds, and the data he leaked is the same as the last one. We have confirmed with the technical department that all the loopholes have been fixed at the time of the first leak incident. And for all we know, he secretly sold our data to other agents after he made the deal with us. We can not cooperate with him in the future.” – PandaBuy
BleepingComputer reached out to Sanggiero regarding the company’s statement but has not received a response at this time.
For now, it is wise to exercise caution and be vigilant for unsolicited messages from individuals claiming to be from PandaBuy, as these may be phishing attempts to gather additional personal information.
If you have not yet reset your password on PandaBuy, it is strongly advised to do so now, in case additional data was compromised, as the threat actor claims.
Source: BleepingComputer, Bill Toulas