Cybercriminals launched “Leaksmas” event in the Dark Web exposing massive volumes of leaked PII and compromised data

Even as the New Year approached and the world celebrated the festive Christmas season, the cybercriminal community did not pause their activities. Instead, they marked the holiday season in their unique way. On Christmas Eve, Resecurity observed multiple actors on the Dark Web releasing substantial data dumps. These were the result of data breaches and network intrusions to a variety of companies and government agencies. Numerous leaks disseminated in the underground cyber world were tagged with 'Free Leaksmas,' indicating that these significant leaks were shared freely among various cybercriminals as a form of mutual gratitude.

Ironically, this display of generosity among cybercriminals is far from a cause for celebration for victims globally. It will inevitably result in them facing a host of adverse effects, such as account takeovers (ATO), business email compromises (BEC), identity theft, and financial fraud. Significantly, the data breaches weren't confined to the United States; they extended globally, impacting individuals in a wide range of countries including France, Peru, Vietnam, Italy, Russia, Mexico, the Philippines, Switzerland, Australia, India, South Africa, and even mixed international sources. This widespread geographical distribution highlights the extensive global reach and severe impact of these cybercriminal activities.

A significant event during the 'Leaksmas' in the Dark Web involved the release of a large dataset from Movistar, a leading telecommunications provider in Peru. This dataset contained over 22 million records, including customers' phone numbers and DNI (Documento Nacional de Identidad) numbers. The DNI, being the sole identity card recognized by the Peruvian Government for all civil, commercial, administrative, and judicial activities, makes its exposure on the Dark Web a serious threat, potentially leading to widespread identity theft and fraud. This incident underscores the critical need for robust Digital Identity Protection programs, particularly in Latin America, where there is an escalating trend of cyber-attacks resulting in major data breaches and significant damages.

On Christmas, a government agency in Chile experienced a security breach.

In another incident targeting the Asia-Pacific region, cybercriminals released a substantial leak involving one of the major credit services in the Philippines. The perpetrators disclosed over 15.77 GB of data in this breach.

The "Leaksmas" event continued with another significant breach, this time involving a French company. Approximately 1.5 million records from this company were shared freely on the Dark Web.

Cybercriminals also "gifted" a leak involving 1.4 million records, associated with a project that was later acquired by Klarna, a Swedish fintech company. Interestingly, rumors of a potential data breach had been circulating since 2022, and several users had received notifications regarding it. However, the complete data dump had not been freely available on the Dark Web until this event.

Returning to the Asia-Pacific region, another significant leak that was freely shared on the Dark Web involved a Vietnam-based fashion store. This breach exposed over 2.5 million victim records. Such a database is a valuable asset for spammers and illegal affiliate marketing specialists, offering them the potential to generate substantial profits during the winter holiday season.

An additional noteworthy leak involved a hacked online military gear shop based in Italy. While the database contained only 2,000 records, the nature of the audience – individuals interested in military gear – makes it particularly attractive to foreign cyber actors, especially those with a focus on defense-related information.

The perpetrators also targeted India, a country known for its vast economy and rapid pace of digitization.

On Christmas, there was a relatively new leak involving a sushi restaurant network from Russia, comprising over 164,052 records. This dataset was notable for not having been previously seen on the Dark Web, making it potentially of particular interest to certain actors.

There was a significant leak involving over 2 million records of banking customers from Mexico. It's highly probable that these records were obtained directly from a breached financial institution, a lending provider, or a telemarketing operator that specializes in generating leads for the financial industry. Interestingly, this particular dataset had been previously offered for sale but became freely available during this event. Our assessment suggests that this data might have originated from an older breach, possibly dating back to 2021-2022. Despite its age, the information remains relevant in 2024, as it's unlikely that all the affected individuals would have updated their personal information since the breach.

Another significant incident involved a massive data leak from ESSEMTEC.

In addition to these individual leaks, the perpetrators also released larger compilations of data, consisting of multiple separate data breaches. Some of these were extensive packages, known as combo-lists, containing millions of records that included emails and passwords.

"All I want for Christmas is the destruction of the government."

The most prominent figures in the data leaking activity on the Dark Web during the Christmas period were undoubtedly the actors from SiegedSec. They gained particular notoriety for previously releasing exfiltrated data from the Idaho National Labs.

The group SiegedSec has made public claims about successfully hacking into unspecified government resources. Before this, they had celebrated a successful attack on Shufersal, Israel's largest supermarket chain, which they referred to as a “Christmas Gift” in support of Palestine. They also targeted BEZEQ! and Cellcom, one of Israel's leading telecommunications companies. It's worth noting that there have been claims from some groups about ending their associations with SiegedSec due to their stance, but the authenticity of these claims has not been fully verified.

In their Christmas message, SiegedSec mentioned the exfiltration of citizen data, suggesting that we can anticipate more unexpected actions from them in the upcoming year.

cont...