BLOG

Tokopedia and Microsoft Breach Broker selling fresh trove of 26 million accounts

Executive Summary

ZeroFOX Alpha Team has identified a dark web breach broker selling three large, high-profile breaches. The dealer, who goes by the alias Shinyhunters, is offering these breach dumps for sale on a dark web forum, for prices between $1500 and $2500 USD. The ShinyHunters group has breached numerous organizations in recent weeks, including Tokopedia, a major Indonesia e-commerce company, and Unacademy, an Indian online learning platform. Allegedly, the group is also behind the recent breach of Microsoft’s private GitHub repositories, containing the source code of future open-sourced projects. Although it has not yet been released, the Shinyhunters group has threatened to release the code publicly for free. The new breaches include Chicago-based home meal kit delivery service HomeChef, online printing and photo store ChatBooks, and Chronicle.com, a news website dedicated to covering colleges and universities. In total, these breaches contain the user data and passwords of 26,000,000 accounts. 

HomeChef Breach

The HomeChef breach contains 8 million records, and a sample set of records was posted to a paste website. The rows contain emails, bcrypt passwords, IP addresses and a number of columns of PII such as last 4 of social security numbers, zip codes and phone numbers. The breach has a sale price of $2500 USD.

Figure 1: HomeChef Breach Sample Posted by Shiny Hunters
Figure 2: HomeChef Breach Sellers Page

Chatbooks Breach

The Chatbooks breach contains 15 million rows of data. Shiny Hunters also posted a sample set to a paste website. The rows contain emails, SHA-512 password hashes, social media access tokens and a number of personally identifiable information. The breach has a sale price of $2000 USD.

Figure 3: ChatBooks Breach Sample Posted by Shiny Hunters
Figure 4: ChatBooks Breach Sellers Page

Chronicle.com Breach

The Chronicle.com breach contains 3 million records, but ShinyHunters did not post a sample set of data or indicate in their post what the data contains. The breach has a sale price of $1500 USD.

Figure 5: Chronicle.com Breach Sellers Page

Other aliases for ShinyHunters Breach Broker

ShinyHunters isn’t the only moniker this actor has used. The group made a post on May 6, 2020 on a popular cybercrime forum indicating that they’ve pilfered 500 GB of internal source code from Microsoft. 

Figure 6: Microsoft Breach Post by fs0c131y/Shiny Hunters

According to BleepingComputer, ShinyHunters reached out to them directly to confirm the story. The sales ad for the Microsoft leak was authored by “fs0c131y”, a popular moniker in the show Mr. Robot, as well as a popular hacker on Twitter. Using names from popular influencers on these forums is nothing new, for example Brian Krebs and Troy Hunt have impersonators. What links fs0c131y and Shiny Hunters, is that fs0c131y posted the same contact information as their shop on the dark web.

Figure 7: Tokopedia Breach Post by fs0c131y/Shiny Hunters

Conclusion

ShinyHunters is taking a page out of the book of gnosticplayers, the breach data broker who in 2018-2019 pilfered billions of records from dozens of companies and sold them online. Due to the verification of the Tokopedia breach by multiple researchers and the company itself, ZeroFOX Alpha Team has HIGH confidence that these new breaches are legitimate, and will most likely be available on other breach marketplaces at lower prices in the near future. It is likely that this actor will continue to breach companies and post their content for sale. These tactics proved both successful and profitable for gnosticplayers, and it is likely they will continue to appeal to other breach brokers for these reasons.

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.