A photo-printing startup is alerting its users about a data breach in which hackers stole some customers’ personal information.
Chatbooks, a Utah-based company that sells albums of digital photos, told customers on May 8 it was victimized on March 26 by attackers who accessed Chatbooks login credentials, including names, email addresses and individually salted and hashed passwords, and, for some customers, phone numbers and Facebook ID data.
“We’ve hired a digital forensics firm and our investigation is ongoing, but as we learn more we will continue to communicate with our community and other stakeholders,” CEO Nate Quigley wrote in an email to CyberScoop.
Chatbooks appears to be just one of a growing number of international companies victimized by a hacking group which calls itself “Shiny Hunters.” The same group of scammers claimed to steal 91 million usernames and passwords from Tokopedia, an Indonesian e-commerce company, as well as the food delivery service HomeChef, the Chronicle of Higher Education, and a number of other seemingly random organizations. These attackers also are advertising databases of stolen records on illicit web forums, typically for thousands of dollars.
While Chatbooks and Tokopedia have confirmed they experienced security incidents, other firms including HomeChef and the Chronicle of Higher Education, have not responded to requests for comment. A number of security firms, including Under The Breach, which first uncovered the Tokopedia data for sale and ZeroFOX, have reported on the recent incidents.
Dark web data brokers will sometimes market databases of stolen information that have been combined from a number of sources. It remains unclear whether Shiny Hunters is selling records it stole itself, or whether the scammer has re-packaged old usernames and passwords already available through the cybercriminal underground.
The reported breaches comes after other hacking groups, particularly the ransomware collective known as “Maze,” has for months breached victims, then threatened to publish their stolen information if organizations refused to pay an extortion fee.
“Often, these kinds of hacking groups sell breach dumps publicly without notifying the breached organization, or when they have tried to disclose the intrusion to the breached organization and [the victim] has declined to respond, or publicly disclosed the breach themselves,” Ashlee Benge, a senior threat researcher at ZeroFOX, said in an email.
“This kind of name-and-shame technique has become popular with both breach dump sellers an ransomware groups because the fear of disclosure tends to increase the likelihood of a response[.]”