Chinese ecommerce giant PandaBuy hit by cyberattack, data breach

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Chinese global shopping platform PandaBuy suffered a cyberattack in which sensitive data on more than a million users was stolen. 

The authenticity of the data was confirmed, and platform users urged to reset their passwords, immediately.

Earlier this week, a hacker with the alias “Sanggiero” announced on a dark web forum that they, together with popular leaker “IntelBroker”, broke into PandaBuy by abusing multiple flaws in the API.

Ignoring the problem

"The data was stolen by exploiting several critical vulnerabilities in the platform's API and other bugs were identified allowing access to the internal service of the website," the hacker said. "The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on."

While the hackers claim to have stolen data on more than three million people, the actual number is not half of that. As reported by BleepingComputer, the founder of HaveIBeenPwned? website, Troy Hunt, took the database and initiated a password reset request for all the emails found in there. At least 1.3 million email addresses returned as valid, and as coming from PandaBuy.

Hence, the exact number of compromised accounts is 1,348,407, they said. 

If you are worried about your data being stolen, head over to HaveIBeenPwned? and check if your address was compromised. In that case, resetting the password would also be wise.

PandaBuy hasn’t officially addressed the issue. BleepingComputer found that company representatives said, in a Discord channel, that this was an older incident that was already remedied. Others, according to the publication, claim the company is trying to shove the whole thing under the rug, by censoring user posts on Discord and Reddit. 

PandaBuy is a retail platform where international users can purchase products from Chinese e-commerce platforms such as The database can allegedly be purchased for a “symbolic” payment in cryptocurrency.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.