The hacker forum is letting anyone download Quidd data.
Another day, another data breach – This time, it is the unsuspected users at Quidd having their personal data being circulated on the dark web and an infamous hacker forum for anyone to download.
Apparently, a hacker going by the online handle of “Protag” has published a massive trove of data belonging to Quidd, a marketplace for buying and selling digital collectibles through its Android and iOS apps.
The data was identified by the data breach research team at Risk Based Security. According to the company, the database was originally dumped on March 12th, 2020 and contained email addresses, usernames, and bcrypt hashed passwords of 3,954,416 users.
One of the benefits of using bcrypt is that it requires a salt by default. It uses a 128-bit salt and encrypts a 192-bit magic value which is hard to crack.
It is worth noting that Quidd data is available on the same hacker forum where personal details of 1.41 million US-based doctors, 42 million Iranian phone numbers and terabytes of OnlyFans data is currently being sold.
On March 30th, the database resurfaced on the hacker forum for public download and Hackread.com can confirm that the data was up for download at the time of publishing this article.
The bad news is that since the database is available for free download, anyone can get their hands on it and use email addresses to carry out phishing or malware scams as seen previously. On the other hand, the research team at Risk Based Security has also confirmed that,
The data leak contains more than a thousand professional email addresses related to well-known entities including AIG, Experian, Target, Microsoft, Accenture, Virgin Media, Tutanota and the University of Pennsylvania.
The fact that the database contains email addresses of professionals, it is without a doubt a blessing for cybercriminals, and state-sponsored hackers who have a history of targeting researchers and investigators.
Nevertheless, if you are a Quidd user, change your password right now, get in touch with the company yourself and do not click on any link claiming to be sent by Quidd as security advisory on the breach. Cybercriminals tend to use such situations to target users looking for answers about their personal data from targeted companies.