fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Over 1M Lazada RedMart Accounts Sold Online After Data Breach

Over 1M Lazada RedMart Accounts Sold Online After Data Breach

Singapore’s largest online grocery store Lazada Redmart has suffered a data breach after 1.1 million user accounts were put up for sale on a hacker forum.

The database dump containing sensitive customer is priced at $1,500.

Lazada is a billion-dollar arm of Alibaba with over 8,000 employees globally. 

DB with 1.1 million accounts priced at $1,500

Hackers selling the illicit data dumps told BleepingComputer they had obtained Lazada’s MongoDB-based data set with data from over 1.1 million RedMart accounts.

The leaked dump contains RedMart customer accounts’ email addresses, SHA-1 hashed passwords, first and last name, phone numbers, mailing addresses, billing addresses, partial credit card numbers, and expiration dates.

Partial database dump from Lazada’s RedMart data breach
Source: BleepingComputer

According to the hackers, however, the data set isn’t standardized, and that “some rows have more information than others.”

Also Read: How Singapore Cybersecurity Materplan 2020 Is Formidable

For example, certain customers had the first 6 and last 4 digits of their credit card number included with their data.

Lazada discovers breach during “proactive monitoring”

On October 29th, Lazada sent out an email notification to impacted customers stating they had discovered the breach during “proactive monitoring” of their systems.

In Lazada’s data breach notification, the company claims that the data exposed in the breach is 18 months old.

“The customer data hosted on this database is more than 18 months out of date as it was last updated in March 2019,” Lazada stated.

However, the data breach broker told BleepingComputer in a conversation that the stolen database contains user records with registration dates in May and July 2020, as shown below.

Last column in the DB dump shows timestamps as recent as July 2020
Source: BleepingComputer

The data breach email further reassured customers that their passwords are “protected by encryption.”

While the passwords in the stolen database are indeed SHA-1 hashed, it is possible to dehash them to recover the original password.

As a safety precaution, RedMart has reset the passwords on all accounts and will prompt you to change it the next time you login.

It is also suggested that you change your password on any other sites utilizing the same one as used on RedMart.

RedMart users should also be on the lookout for targeted phishing emails that utilize the information in the stolen database.

“Lazada does not request customers to verify your personal information,” the breach notification stated.

The exact date of the breach remains unknown.

When BleepingComputer asked the data breach broker how RedMart was compromised, they declined to share that information.

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

According to RedMart, on discovering the breach, the company took steps to promptly block access to the database.

“We have taken immediate action to block unauthorised access to the database. This data was used on the previous RedMart app and website, which are no longer in use. Lazada customer data in Southeast Asia is not affected by this incident,” reads the email notification.

The company also stated they were reviewing and hardening their security controls in addition to collaborating with the law enforcement authorities on this incident.

“We want to be transparent about this incident with all of our customers and reassure you that we are taking it seriously,” concluded the notification.

But what stands out is the discrepancy between their claim of the leaked data being 18 months old and the database screenshot above showing July 2020 registration dates.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us