Woolworths’ MyDeal subsidiary has disclosed a data breach affecting 2.2 million customers, with the hacker trying to sell the stolen data on a hacker forum.
MyDeal is an Australian retail marketplace that connects online shoppers with local retailers.
Retail giant Woolworths purchased 80% of the company in September but said their systems are on a completely different platform and unaffected by the incident.
Last Friday, MyDeal stated that it suffered a breach after a hacker used compromised user credentials to access the company’s Customer Relationship Management (CRM) system, allowing the threat actor to view and export customer information.
The company says that 2.2 million customers were impacted by the data breach, with information such as names, email addresses, phone numbers, delivery addresses, and in some cases, birth dates exposed in the attack.
For 1.2 million customers, only the email addresses were exposed in the breach.
However, MyDeal states that no payment information, government IDs, or account passwords were exposed.
MyDeal has already begun to send data breach notifications to affected customers and say that customers who do not receive one were not affected.
Hacker starts selling MyDeal data
On Sunday, the hacker behind the MyDeal breach began selling the stolen data on a hacking forum for $600.
The hacker claims that the data currently consists of 1 million entries but that the number of exposed customers will increase as they finish parsing the database.
As proof of their attack, the threat actor released screenshots of what they claim are the company’s Confluence server and a single-sign-on prompt for the company’s AWS account.
Today, the threat actor released samples of the stolen data, exposing the personal information of 286 alleged MyDeal customers.
While MyDeal said that no passwords were exposed in the attack, it is suggested that you err on the side of caution and reset your passwords anyway.
As it is common for threat actors to purchase stolen data to use in their own attacks, all MyDeal customers should also be on the lookout for targeted phishing attacks.