"Shopping Platform PandaBuy Data Leak Impacts 1.3 Million Users"

Have I Been Pwned (HIBP) recently announced that data belonging to more than 1.3 million customers of the PandaBuy online shopping platform has been leaked, allegedly after two threat actors exploited multiple vulnerabilities to breach systems.  PandaBuy allows international users to purchase products from various e-commerce platforms in China, including Tmall, Taobao, and JD.com.  HIBP noted that a threat actor named "Sanggiero" recently claimed a breach on PandaBuy and allegedly performed the breach with another threat actor called "IntelBoker."  The threat actor says the data was stolen by exploiting several critical vulnerabilities in the platform's API, and other bugs were identified, allowing access to the internal service of the website.  The threat actor said the data contained 3M+ unique UserIds, First Names, Last Names, Phone Numbers, Emails, Login IPs, Orders_Data, Orders_Id, Home_address, Zip, Country, and more.  HIBP noted that to prove to unregistered members the information is valid, the threat actor provides a small sample containing email addresses, customer names, order numbers and details, shipping addresses, transaction dates and times, and payment IDs.  Troy Hunt, the creator of HIBP, tested password reset requests using the leaked addresses and confirmed that at least 1.3 million email addresses are valid and come from PandaBuy. Hunt noted that the rest are made-up and duplicate addresses, so the "3 million" figure was inflated by the threat actors.  PandaBuy has not made any statements about the data breach. 

BleepingComputer reports: "Shopping Platform PandaBuy Data Leak Impacts 1.3 Million Users"