Millions of MyDeal users have data sold online after breach

Australian retail marketplace MyDeal has confirmed it suffered a data breach that has affected more than two million of its customers.

The company contacted all affected customers explaining the incident, saying that an unknown attacker compromised its systems and accessed customer identity data. 

According to BleepingComputer, the threat actor managed to obtain the login information for MyDeal’s Customer Relationship Management (CRM) platform, and used it to extract sensitive data belonging to around 2.2 million users.

MyDeal data sold

That data included names, email addresses, phone numbers, postal addresses, and, for some, birth dates. For a smaller subset of users (1.2 million), the hackers only managed to obtain email addresses.

While details on the perpetrators are scarce, what they’re doing with the data is clear: trying to sell it on an underground forum for $600. 

According to the company, the number of entries in the database, which is still being parsed by the attacker, currently stands at over one million, with the number predicted to rise. 

To prove the authenticity of the attack, the attackers posted screenshots of MyDeal’s Confluence servers, as well as the Single Sign-On (SSO) prompt for its account with Amazon Web Services (AWS).

MyDeal also said the attackers did not obtain any payment information, identification documents data, or passwords. Still, it suggests users reset their passwords anyway. Such an attack would not have been prevented even with the best password managers.

MyDeal is an Australian retail marketplace that seeks to connect local retailers with potential shoppers.

It was acquired by Woolworths in September 2022, but the supermarket chain claims its systems are on a different platform, and therefore completely safe from the attackers. 

While crooks may not have gotten payment data, or passwords, they still have enough information for identity theft or phishing attacks, so users are urged to remain vigilant.