Australian retail marketplace MyDeal has confirmed it has suffered a data breach that has affected more than two million of its customers.
The company contacted all affected customers, explaining the incident and saying that an unknown attacker compromised its systems and accessed customer identity data.
According to BleepingComputer (opens in new tab)The attacker managed to steal the credentials for Customer Relationship Management (CRM (opens in new tab)) platform and used it to extract sensitive data from around 2.2 million users.
MyDeal data sold
This information included names, email addresses, phone numbers, mailing addresses and, for some, dates of birth. For a smaller subset of users (1.2 million), the hackers only managed to get email addresses.
While details on the perpetrators are scarce, what they’re doing with the data is clear: They’re trying to sell it on an underground forum for $600.
According to the company, the number of entries in the database that are still being parsed by the attacker is currently over a million, and the trend is rising.
To prove the authenticity of the attack, the attackers posted screenshots of MyDeal’s Confluence servers and the single sign-on (SSO) request for his Amazon Web Services (AWS (opens in new tab)).
MyDeal also said the attackers did not receive any payment information, ID document data or passwords. Still, it suggests users to reset their passwords anyway. Such an attack would not have been prevented even with the best password managers.
MyDeal is an Australian retail marketplace trying to match local retailers with potential buyers.
It was acquired by Woolworths in September 2022, but the supermarket chain claims that their systems are on a different platform and are therefore completely safe from the attackers.
While crooks may not have obtained any payment details or passwords, they still have enough information for identity theft (opens in new tab) or phishing attacks, therefore users are urged to remain vigilant.
https://www.techradar.com/news/over-2-million-mydeal-users-have-had-their-data-sold-online-after-a-breach Millions of MyDeal users have data sold online after breach