Security researchers have discovered almost four million credentials linked to digital collectibles site Quidd, including a sizeable number of corporate email addresses.
Risk Based Security’s Data Breach Research Team announced the discovery on Friday, revealing the data was available “on a prominent deep web hacking forum.”
It apparently features the email addresses, usernames and bcrypt hashed passwords of 3,954,416 users.
“The compromised data sets were originally posted on March 12 2020 and self-attributed to a threat actor named ‘Protag.’ However, the files were quickly removed,” the firm explained.
“The data resurfaced on March 29 2020 when it was reuploaded by a different user and has since remained available. One threat actor responded to the post stating that he has already cracked, or decrypted, nearly a million password hashes.”
Although the use of bcrypt will make the passwords harder for cyber-criminals to monetize, concerns persist, especially for some businesses.
Around 1000 of the user credentials are linked to corporate email addresses, including the accounts of employees at Microsoft, Target, Virgin Media, Accenture, Experian, AIG and other organizations.
Risk Based Security warned the corporate angle could put these firms at extra risk from business email compromise (BEC) and spear-phishing attempts.
That’s besides the more general risk of credential stuffers using the four million-strong data trove to try their luck across other accounts.
Quidd itself has not responded to inquiries from the researchers about the incident, since its discovery. The Brooklyn-based firm deals in “digital collectibles” from over 300 brand partners including Disney and DC Comics.
According to Risk Based Security, the leaked data is not being offered for sale, but access is also unrestricted.