Event organizing service Peatix Inc. has suffered a data breach with the details of up to 6.77 million users offered for sale online.

The data breach, reported to have occurred earlier this month, included full names, usernames, emails and hashed passwords. According to ZDNet today, the user data was being advertised for sale via Instagram Stories, Telegram channels and on several different hacking forums.

The data was stolen via an unspecified “unauthorized access” that occurred between Oct. 16 and 17. The company, which has offices in both Japan and New York, disclosed the incident via a press release in Japanese Nov. 17. TechCrunch Japan reported that the data stolen primarily consisted of government event-related data, specifically from Kagoshima, Saitama, Utsunomiya City, Fukui City and Miyazaki City. It’s not clear whether any data from users outside of Japan was also stolen, but the company does have customers outside of Japan.

Peatix said it has blocked the unauthorized access to its database and is strengthening its security measures with the assistance of external security firms. The company also reset all user passwords as a precaution.

The company also offers an online live event platform, a service that has become popular in the age of COVID-19. The company pitches Peatix Live as a “high-quality viewing solution for event organizers to create secured and paid online live experiences.” Tapping into Peatix’s event platform, the service is said to provide attendees with a secured and exclusive avenue to enjoy paid content through a proprietary network and player via Peatix’s website and mobile apps on iOS and Android.

“The data leak containing millions of Peatix usernames, emails and hashed passwords puts these victims around the world at risk for fraud and account takeover,” Robert Prigge, chief executive officer of identity verification company Jumio Corp., told SiliconANGLE. “Threat actors can decipher hashed passwords and leverage bots and credential stuffing to try these login credentials across thousands of websites (including banking portals, social media accounts, healthcare sites and more) in search of an opening.”

Peatix’s response to reset passwords isn’t enough to keep user accounts protected, Prigge added. “Instead, online organizations should turn to a safer and more secure alternative like biometric authentication, which will confirm the authorized user is the one logging in, ensuring personal data is protected from cybercriminals and data breach brokers,” he said.

Boris Cipot, senior sales engineer at electronic design automation company Synopsys Inc.’s Software Integrity Group, stolen data usually shows up on secretive deep web forums or pages. In this case, though, social media platforms such as Instagram and messaging app Telegram were used to promote stolen names, usernames, hashed passwords and email addresses.

“Peatix has issued a notification on their webpage about the breach and are also contacting users to change their password on the platform to avoid possible account misuse,” Cipot added. “Users should, however, also change their passwords on other services where they have been reused. It is also critical that users are vigilant as their data may be used in phishing campaigns in an attempt to gather additional data or even gain access to their computer. As such, be wary of emails with attachments or links.”

Image: Peatix