Collecibles app’s user credentials collected by dark web forum user

A post on a dark web hacking forum has exposed four million user credentials that were taken from Quidd, an app designed for trading collectibles featuring popular brands, entertainment properties and fictional characters.

Risk-Based Security reported via a company blog post that its Data Breach Research discovered the pilfered data, which the forum is not selling but rather making available “in a non-restricted manner.”

Affected data includes email addresses, usernames, and bcrypt-hashed passwords of 3,954,416 users, the blog post states. “One threat actor responded to the post stating that he has already cracked, or decrypted, nearly a million password hashes,” the report continues.

Among the leaked credentials are more than 1,000 business emails from major companies such as AIG, Experian, Microsoft Target and more, which increases the risk of future possible spear phishing and business email compromised campaigns targeting those organizations.

The data dump was posted on March 12 by an individual who goes by the alias Protag and then reloaded by a different user on March 29.

SC Media reached out to a press contact for Brooklyn-based Quidd and requested comment.

“In addition to changing Quidd account passwords, users should also change the passwords on other accounts that use the same password to prevent credential stuffing attacks,” said Paul Bischoff, privacy advocate with Comparitech. Credential stuffing occurs when hackers use login credentials from one service to attempt logging in on other services, because they know many people reuse passwords across multiple accounts.”