MyDeal Breach: Users’ Private Information for Sale
Data breaches are occurring regularly all over the world as cybercriminals are targeting big companies everywhere. However, Australia seems to be on the attackers’ radar lately. They breached Optus a few weeks back and now, their latest victim comes in the form of the Australian retail marketplace MyDeal.
Woolworths’ subsidiary connects online shoppers with local retailers where they can buy furniture, homewares, appliances, technology, as well as hardware. In other words, as one of the largest marketplaces, MyDeal has millions of customers.
Apparently, hackers knew that when they breached the company and now, they’re seeing the data of around 2.2 million users online. What happened? Who is affected and what information is for sale? Find out below.
The MyDeal Breach – Quite a Malicious Offer
As we mentioned, the number of data breaches is increasing drastically and it doesn’t seem to be stopping anytime soon. Not long ago, the Indian complaint redressal platform – Swachh City – disclosed a breach that affected over 16 million users.
Before that came the U-Haul breach where hackers managed to get their hands on customers’ names and driver’s license information. Now, over 2.2 million MyDeal customers have been impacted and their personal information is up for sale on a hacking forum.
Yes, the attacker is now selling the harvested information on a hacking forum for $600. According to the hacker, the on-sale data consists of 1 million entries, but more will be added soon.
To further prove that the hack is real, the threat actors shared several screenshots of what they claim are MyDeal’s Confluence server and a single-sign-on prompt for the company’s AWS account. The images below reflect their statement:
The threat actor behind the attack released additional stolen data of 286 alleged MyDeal customers. This shows that the breach is totally legit.
However, despite the huge breach, the company states that no credit card numbers, government identification numbers, or account passwords were exposed.
Have I Been Pwned?
The company shared an official statement disclosing the breach. Surprisingly, one of the recipients was none other than Troy Hunt – Have I Been Pwned?’s creator. Here’s what he had to say via Twitter:
The funny thing is, the cybersecurity expert stated that he doesn’t recall having a MyDeal account. Additionally, the attackers seem to be trolling in MyDeal’s Zendesk customer support system as exhibited in this screenshot:
Since the large majority of MyDeal’s customers are not affected by this incident, containing the impact of the breach should be an easy task.
The company is taking immediate steps to tighten security across its entire platform and is urging users to reset their passwords.
600 Dollars – Cheap Deal, Expensive Impact
Data breaches will keep occurring as long as cybercriminals are out there. MyDeal is one of several Australian companies to be targeted and we hope it’s the last.
With millions of customers, who knows what cybercriminals can do? The breach didn’t expose payment information, but it did include emails.
In other words, other threat actors will be interested in buying the data for future use – mainly for phishing scams. We highly recommend you stay vigilant when you receive an email from MyDeal.