130 Million New Records Enters in Cybercrime Forums

A few days ago, we saw 3 Billion credentials leaked in the darkweb – a repository compiled through the previous data leaks and breaches. Several organizations scrambled about the leak to better understand the risks posed to them, but now we have another issue to deal with on our Sunday / Monday!

Cyble researchers have noted another major “alleged” breach by the infamous ShinyHunters group. This was posted on their go-to-marketplace, RaidForums.

In this case, the seller, which appears to be one of the data brokers or alias of the SH group, is selling Astoria company’s database.

Per the seller, they gained access to the following information of 100Mn users –

Name, Email address, date of birth, address, mobile, IP address for all users. They also alleged to have gained access to over 40Mn users’ Social Security Numbers (SSNs) and checking account and routing numbers, driver’s license number, vehicle VIN, and other fields.

Source of the data: The actor has alleged the data source from the “Astoria” company. Astoria is a performance marketing company that offers pay per call, search engine optimization, e-mail, social media, and offline advertising services.

While Astoria company has not disclosed any breach, given the previous claims of the SH’s groups, it’s likely to be a legit claim. The actor is selling this information for 5 BTC, i.e., ~ USD 240,000. Given the quality of the alleged data, it doesn’t surprise many. Cyble researchers believe this one of the biggest heists of Social Security Numbers (SSNs) if it’s true

[Update] About the seller:

Telegram Profile:

Other aliases of the seller: seller123[at]secmail.pro

Telegram group managed by the actor: @Hunters

The seller was observed to be selling other databases as well. However, Cyble was unable to verify those claims at this stage.

On a separate note, another seller came to the market with new data-sets as below:

The actor alleged to have access to the private database of the following companies and the corresponding records / databases :

14.5 Mn: FranConnect.com | Full names, emails, plaintext passwords, full addresses, phone numbers, family members, IP addresses, company info, financial info
11 Mn: Zelfy.com | Full names, emails, locations, device id
3.3 Mn: Cashalo.com | Full names, emails, bcrypt hashes, phone numbers
1.2 Mn: OAntagonista.com | Full names, emails
0.8 Mn: ParkBench.com | Full names, emails, phone numbers, full addresses
0.46Mn: Tambola.com | Full names, emails, phone numbers, date of birth
60K: EOSAirClub.com | Usernames, emails, plaintext passwords, wallet addresses, transactions

At the time of writing the advisory, our researchers have no evidence/artifact shreds suggesting a link with the ShinyHunters group.

We recommend people to: 

  • Never share personal information, including financial information over the phone, email, or SMSes.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • People who are concerned about their exposure in the Darkweb can register at AmiBreached.com to ascertain their exposure.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.   

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Recent Blogs

Colombia OT Devices Blog

CRIL investigates the evolving threat landscape of hacktivism leading to cyberattacks on Colombian Critical Infrastructure and Zero-day Sales by Hacktivists.

Read More »
Bl00dy Ransomware Targets Indian University

CRIL analyzes Bl00dy Ransomware’s recent targeting of an Indian University via exploitation of the PaperCut vulnerability.

Read More »
PixBankBlog ATS Blog

Cyble analyzes PixBankBot, a new ATS-based malware that targets Brazilian banks through the popular Pix instant payment platform.

Read More »
Scroll to Top