Breach, Threat Management, Data Security

Collectibles app’s user credentials collected, posted on dark web forum

A post on a dark web hacking forum has exposed four million user credentials that were taken from Quidd, an app designed for trading collectibles featuring popular brands, entertainment properties and fictional characters.

Risk-Based Security reported via a company blog post that its Data Breach Research discovered the pilfered data, which the forum is not selling but rather making available "in a non-restricted manner."

Affected data includes email addresses, usernames, and bcrypt-hashed passwords of 3,954,416 users, the blog post states. "One threat actor responded to the post stating that he has already cracked, or decrypted, nearly a million password hashes," the report continues.

Among the leaked credentials are more than 1,000 business emails from major companies such as AIG, Experian, Microsoft Target and more, which increases the risk of future possible spear phishing and business email compromised campaigns targeting those organizations.

The data dump was posted on March 12 by an individual who goes by the alias Protag and then reloaded by a different user on March 29.

SC Media reached out to a press contact for Brooklyn-based Quidd and requested comment.

"In addition to changing Quidd account passwords, users should also change the passwords on other accounts that use the same password to prevent credential stuffing attacks," said Paul Bischoff, privacy advocate with Comparitech. Credential stuffing occurs when hackers use login credentials from one service to attempt logging in on other services, because they know many people reuse passwords across multiple accounts."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.