Chinese site selling stolen accounts found exposing 600,000 records, including customer information
A Chinese site that sells stolen accounts and personal information has been found to have exposed more than 600,000 records of stolen data and customer information.
Detailed Tuesday by security researcher Jerimiah Fowler at vpnMentor, the site is called Z2U and operates as a gaming market. The site pitches itself as a “trade environment between gamers and games,” but further investigation, including of the leaked data, found much more.
The exposed data, found on a non-password-protected database labeled as customer support attachments, contained everything from Facebook and Instagram accounts, access to HBO, Netflix and Disney+ accounts and Windows license keys at a fraction of the real price. Sellers were also found to be offering viruses and malware.
The database was found to be a treasure trove of stolen information, including images of credit cards, customers, passports and other identification documents. Records show bank transaction payments, including international bank account numbers, user logins, emails and passwords for accounts, user logins and passwords and software license keys.
The database also showed records of order confirmations, including the buyer’s name, email and date of purchase, the sales of access to streaming and social media accounts, and other related buying details. So not only did the database contain stolen information, but it also contained information about those who purchased illicit items from the site.
The exposed data, not only the stolen account credentials but of those using the site, would provide a wealth of potential uses to bad actors. Given the customer information side, it would come in handy to law enforcement as well.
Despite the site’s nefarious use, Fowler complied with responsible disclosure and informed the Z2U that the database was exposed. It was taken offline a week after Fowler first reached out. It’s unknown how long the database was exposed or who may have had access to it.
“When data breaches occur, they not only put the affected users at risk of identity theft and fraud but also damage the reputation and potential revenue loss of the organizations involved,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Organizations must prioritize and implement robust database security measures to avoid the risk of sensitive information from their customers, clients, or patients being released or exposed to the public internet.”
Image: TheDigitalArtist/Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU