Online shopping is fun. You can sit in the comfort of your home and order whatever you want from anywhere in the world and it will come right to your doorstep. It’s convenient and less stressful than in-store shopping…but it also exposes you to a number of online threats linked to ecommerce platforms, like brushing scams or data breaches.
A recent example is the Pandabuy data breach. In March 2024, Pandabuy, a popular Chinese online shopping platform, suffered a data breach that exposed the personal information of over a million customers to hackers. If you’ve used Pandabuy to shop, your data may have been leaked and your personal details compromised..
Don’t panic. This article will help you figure out whether you were impacted by the Pandabuy data breach (or any data breach at all) and what steps you need to take to protect yourself.
Yes, Pandabuy got hacked. On March 31, two hackers with the nicknames “Sangierro” and “Intelbroker" posted customer data stolen from Pandabuy on a popular hacking forum, BreachForums.
Many people believed the leaked data was legit, since Intelbroker is allegedly responsible for a number of significant data breaches, including the Facebook Marketplace, AT&T, Verizon, T-Mobile, and US Citizenship and Immigration Services (USCIS). The authenticity of the leaked email addresses were also confirmed by Troy Hunt, a Microsoft Regional Director, who checked the leaked account details and traced their source to Pandabuy.
The Pandabuy breach has exposed its customers to a number of serious cybersecurity risks including identity theft, phishing attacks, and password breach.
The hacker, Sangierro, claimed that they breached the internal service of Pandabuy’s website and stole the following data:
The hacker published a sample of this data as proof, and they also informed people on Breachforum that the stolen data was available for sale for $40,000. A Pandabuy spokesperson admitted that they had been exploited by the same hacker before and had paid the hacker to stop the data leak, only to get hacked again.
If your personal information was among the sample leaked, bad actors like scammers, stalkers, or other hackers can have access to it, which is dangerous. They can use the information to access multiple accounts, such as your email, social media, and online banking accounts.
According to the hacker, they stole the data by exploiting multiple critical vulnerabilities in Pandabuy’s API. With access to the API, other bugs were found, allowing access to the website's internal services.
Simply put, Pandabuy didn’t tighten up security in their API, and the hacker used this weakness to access its internal service, where customers' personal data was collected and stored.
No one knows exactly who was impacted by the Pandabuy data breach, but anyone who has previously used the platform to shop may have been a victim.
The hacker claimed that over 3 million user data was breached, but the confirmed actual number was 1,348,407. The rest may have been duplicates or intentionally generated to inflate the figure.
Fortunately, you can completely avoid situations like this with Cloaked.
Cloaked allows you to create pseudo phone numbers, emails, and passwords and use them in any situation where a website is asking for your personal information. This way, no one can hack your other accounts with credentials from a breached account. It has a feature that automatically replaces existing information on your old accounts with secure email addresses, phone numbers, usernames, and passwords.
Cloaked also provides you with identity theft protection which includes up to $1 million in coverage against identity theft and 24/7 specialist support for identity theft resolution.
Ready to protect your online identity?
If you suspect the Pandabuy data breach impacted you, you’ll need to check if your data has been leaked, then protect yourself to prevent your personal data/identity from being used. Here’s how:
The first thing you should do is check if your data was amongst the ones exposed on Pandabuy. You can do this by going to HaveIBeenBreached and entering your personal email or phone number.
If you’ve been breached on Pandabuy, you should immediately change your Pandabuy password and any other accounts where you used the same or similar password. This will prevent scammers or other hackers from accessing your data on other platforms.
Many data breaches have happened over the years on popular websites you’ve most likely used. You’ll see that on the Have I Been Breached Website. You should also change your credentials on those platforms.
You can use Cloaked to automatically reset all your passwords and change them to unique secure passwords that you can store within Cloaked’s encrypted password manager.
Two-factor authentication adds an extra layer of security to your accounts. With 2FA, if a hacker manages to steal your username and password, they’ll need access to a security token on another second device (usually your phone) to gain access to your account.
Check your financial accounts, emails, online dating, and social media accounts for authorized transactions and any unusual or suspicious activity. If you suspect your bank account has been compromised, contact your bank to freeze your credit card.
If you see any unauthorized purchases on your Pandabuy account, contact Pandabuy support immediately.
Other hackers may try to exploit the Pandabuy data breach using phishing attacks. Ignore any messages or emails from Pandabuy or other companies asking for your personal information. Do not click any links you didn’t request for.
If you suspect your security questions and answers were also compromised, change them to new information completely different from the current questions.
Keep yourself updated on what’s going on with the Pandabuy data breach and also cybersecurity best practices to ensure you’re always protected online.
Here’s more information you should know about the Pandabuy data breach:
Pandabuy’s discord admin claimed their technical team had already resolved the incident and the data stolen was stale. They also urged discord members to stop causing panic by spreading rumors. Some social media users even believe Pandabuy censored posts on Reddit and Discord in an attempt to cover up the data breach.
Later, Pandabuy acknowledged the data breach and apologized to its users, saying that hackers used illegal technology to breach their database security. They noted that users' financial and personal information was not exposed in the breach, and legal measures would be taken to force the hackers to delete the stolen data.
Pandabuy was leaked because of vulnerabilities in the platform’s API. The hackers claimed to have found bugs and several vulnerabilities that they exploited to gain access to the internal service of Pandabuy’s website.
If you’ve checked your breach status, you may have discovered that your data has been breached on multiple platforms. Don’t freak out! You can manually change your passwords on these platforms, which takes time, or you can use Cloaked.
But that’s not all. Cloaked also helps you remove personal info from 120+ Data Brokers and other sites and offers you identity theft protection with up to $1 million in coverage against identity theft.
Make data breaches the least of your worries with Cloaked.