Cybercriminals spilled 50 million stolen consumer records including credit card data and personally identifiable information (PII) in what is being spun by hackers as a 'Free Leaksmas' gift.
Criminals posting on underground forums used the “Free Leaksmas” tag to promote the data that included troves of data pilfered from companies and governments representing dozen countries, according to researchers familiar with the cache.
Researchers at Resecurity monitored the activity and, in a Dec. 27 post, described it as cybercriminals displaying “a form of mutual gratitude” as the end of the year approached.
“The actual damage resulting from this activity could potentially amount to millions of dollars.”
Wide range of government and corporate data leaked
The largest “Leaksmas” dump reported by Resecurity was a dataset containing 22 million records stolen from Peruvian telecommunications provider Movistar. It included customers’ phone numbers and DNI (Documento Nacional de Identidad) numbers.
“The DNI, being the sole identity card recognized by the Peruvian Government for all civil, commercial, administrative, and judicial activities, makes its exposure on the Dark Web a serious threat, potentially leading to widespread identity theft and fraud,” the researchers said.
“This incident underscores the critical need for robust Digital Identity Protection programs, particularly in Latin America, where there is an escalating trend of cyber-attacks resulting in major data breaches and significant damages.”
Also released were 2.5 million customer records from a Vietnam-based online women’s fashion store GUMAC.
“Such a database is a valuable asset for spammers and illegal affiliate marketing specialists, offering them the potential to generate substantial profits during the winter holiday season,” Resecurity said.
Over 2 million stolen records from Mexico’s second largest bank, Citibanamex, were posted, along with 1.5 million records from French company Mobbiz, and over 15GB of data from AEON, a major Filippino credit service.
The researchers said one of the smaller, but “noteworthy” leaks they observed was a dump from Italian online military and outdoor clothing store Italia Militare.
“While the database contained only 2,000 records, the nature of the audience – individuals interested in military gear – makes it particularly attractive to foreign cyber actors, especially those with a focus on defense-related information,” they said.
“In addition to these individual leaks, the perpetrators also released larger compilations of data, consisting of multiple separate data breaches. Some of these were extensive packages, known as combo-lists, containing millions of records that included emails and passwords.”
SiegedSec shares a Christmas message
While multiple hackers and groups were involved in the “Leaksmas” activity, Resecurity said the most prominent actor was the threat group SiegedSec, which claimed responsibility for November’s Idaho National Laboratory data breach, involving the theft of data relating to 45,000 individuals.
SiegedSec shared a Christmas message in the forums that mentioned the exfiltration of citizen data, “suggesting that we can anticipate more unexpected actions from them in the upcoming year,” the researchers said.
SiegedSec’s message also stated: “All I want for Christmas is the destruction of the government.”
Almost three-quarters of the 50 million leaked records observed by Resecurity on Dec. 24 were sourced from three countries: Peru (34%), the United States (22%), and the Philippines (18%). Other countries impacted were France, Vietnam, Italy, Russia, Mexico, Switzerland, Australia, India, and South Africa.
“This widespread geographical distribution highlights the extensive global reach and severe impact of these cybercriminal activities,” the researchers said.