Quidd, which is an online marketplace for trading stickers, cards, toys, and other collectibles, revealed a data breach that it had suffered in 2019.
The data of almost four million users have been exposed and they are now available on underground hacking forums for free. The compromised data includes usernames, email addresses, and hashed account passwords.
The data breach was first reported last week by Risk Based Security last week. According to them, the compromised records were originally posted on March 12th, 2020 and it was credited to a threat actor named “Protag”. The files were immediately removed and then it again came back on March 29th, but this time it was uploaded by a different user and is still available.
When contacted with the Quidd users, it was confirmed that data are authentic.
According to experts, Quidd dump is available in private high-level groups for months, it was advertised on hacking forums and Pastebin since at least October.
The data was available privately in exclusive rings for months, and now the info has leaked into the public domain.
Now, the data is available on multiple hacking forums and many sellers are sharing download links for the huge data.
The bcrypt hashing algorithm is very hard to crack, but still it could be easy to calculate the hash for weak passwords.
It was found that one threat actor managed to crack and decrypt almost a million password hashes. Another hacker is found to be selling access to more than 135,000 cracked Quidd passwords.
It is recommended that all Quidd users must change their password at the earliest.