Shopping platform PandaBuy data leak impacts 1.3 million users

Data belonging to more than 1.3 million customers of the PandaBuy online shopping platform has been leaked, allegedly after two threat actors exploited multiple vulnerabilities to breach systems.

PandaBuy allows international users to purchase products from various e-commerce platforms in China, including Tmall, Taobao, and JD.com.

Yesterday, a threat actor named 'Sanggiero' claimed a breach on PandaBuy, allegedly performed together with another threat actor called 'IntelBoker.'

"The data was stolen by exploiting several critical vulnerabilities in the platform's API and other bugs were identified allowing access to the internal service of the website," the threat actor said.

"The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on."

Threat actor's post on BreachForums
PandaBuy customer details leaked (BleepingComputer)

According to data breach aggregation service Have I Been Pwned (HIBP), 1,348,407 PandaBuy accounts have been exposed in the breach.

The details of PandaBuy shoppers were leaked on a forum and can be obtained by any registered members in exchange for a symbolic payment in cryptocurrency.

To prove to unregistered members that the information is valid, the threat actor provides a small sample containing email addresses, customer names, order numbers and details, shipping addresses, transaction dates and times, and payment IDs.

Troy Hunt, the creator of HIBP, tested password reset requests using the leaked addresses and confirmed that at least 1.3 million email addresses are valid and come from PandaBuy. The rest are made-up and duplicate addresses, so the "3 million" figure was inflated by the threat actors.

tweet

PandaBuy has not made any statements about the data breach. According to some reports, the company is trying to conceal the incident by censoring user posts on Discord and Reddit.

A company representative with an administrator role on the Discord channel said that a security incident had occurred in the past and that the leaked data was old and that the platform's security team had responded to the issue promptly.

Posts on Discord
Admin posts on Discord (@BestAdamDaGoat)

If you have an account on PandaBuy, it is strongly recommended to reset your password. Also, remain vigilant for scam attempts and treat unsolicited communications with suspicion.

PandaBuy user data has been added to HIBP and subscribers to the service should have received an email informing them of the leak.

Red Report 2025

Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Related Articles:

Hacker leaks account data of 12 million Zacks Investment users

Orange Group confirms breach after hacker leaks company documents

Supply chain attack on popular GitHub Action exposes CI/CD secrets

Browser-Based Data Leaks: 3 Biggest Data Security Challenges Today

PowerSchool previously hacked in August, months before data breach