130 Million New Records Enters in Cybercrime Forums

A few days ago, we saw 3 Billion credentials leaked in the darkweb – a repository compiled through the previous data leaks and breaches. Several organizations scrambled about the leak to better understand the risks posed to them, but now we have another issue to deal with on our Sunday / Monday!

Cyble researchers have noted another major “alleged” breach by the infamous ShinyHunters group. This was posted on their go-to-marketplace, RaidForums.

In this case, the seller, which appears to be one of the data brokers or alias of the SH group, is selling Astoria company’s database.

Per the seller, they gained access to the following information of 100Mn users –

Name, Email address, date of birth, address, mobile, IP address for all users. They also alleged to have gained access to over 40Mn users’ Social Security Numbers (SSNs) and checking account and routing numbers, driver’s license number, vehicle VIN, and other fields.

Source of the data: The actor has alleged the data source from the “Astoria” company. Astoria is a performance marketing company that offers pay per call, search engine optimization, e-mail, social media, and offline advertising services.

While Astoria company has not disclosed any breach, given the previous claims of the SH’s groups, it’s likely to be a legit claim. The actor is selling this information for 5 BTC, i.e., ~ USD 240,000. Given the quality of the alleged data, it doesn’t surprise many. Cyble researchers believe this one of the biggest heists of Social Security Numbers (SSNs) if it’s true

[Update] About the seller:

Telegram Profile:

Other aliases of the seller: seller123[at]secmail.pro

Telegram group managed by the actor: @Hunters

The seller was observed to be selling other databases as well. However, Cyble was unable to verify those claims at this stage.

On a separate note, another seller came to the market with new data-sets as below:

The actor alleged to have access to the private database of the following companies and the corresponding records / databases :

14.5 Mn: FranConnect.com | Full names, emails, plaintext passwords, full addresses, phone numbers, family members, IP addresses, company info, financial info
11 Mn: Zelfy.com | Full names, emails, locations, device id
3.3 Mn: Cashalo.com | Full names, emails, bcrypt hashes, phone numbers
1.2 Mn: OAntagonista.com | Full names, emails
0.8 Mn: ParkBench.com | Full names, emails, phone numbers, full addresses
0.46Mn: Tambola.com | Full names, emails, phone numbers, date of birth
60K: EOSAirClub.com | Usernames, emails, plaintext passwords, wallet addresses, transactions

At the time of writing the advisory, our researchers have no evidence/artifact shreds suggesting a link with the ShinyHunters group.

We recommend people to: 

  • Never share personal information, including financial information over the phone, email, or SMSes.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • People who are concerned about their exposure in the Darkweb can register atโ€ฏAmiBreached.comโ€ฏto ascertain their exposure.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.   

About Cybleย 

Cybleย is a globalย threat intelligenceย SaaSย provider that helps enterprises protect themselvesย from cybercrimesย andย exposure in theย darkweb.ย Cybleโ€™s prime focusย is to provide organizations with real-time visibility into their digital riskย footprint.ย Backed by Y Combinator as part of the 2021 winter cohort,ย Cybleย hasย alsoย been recognized by Forbes as one of the top 20 Best Cybersecurityย Startupsย To Watch In 2020.ย Headquartered inย Alpharetta, Georgia,ย and withย offices inย Australia, Singapore, andย India,ย Cybleย has a global presence.ย To learn more aboutย Cyble, visitย www.cyble.com.ย 

Recent Blogs

InTheBox-Blog-Android

Cyble analyzes ‘InTheBox’ as part of its thorough research on Web Injects and their role in targeting Android Banking applications worldwide.

Read More ยป
CybleBlogs-SCADA-ICS-Thermal Imaging-Military

Cyble Research & Intelligence Labs analyzes Industrial Control Systems & Thermal Imaging cameras’ cyber risk over Military Instalments.

Read More ยป
Titan Stealer

CRIL analyzes Titan Stealer, a Golang based information stealer working as MaaS as well as it’s C&C panel.

Read More ยป
Scroll to Top