Cyber Incident Victim: Netshoes
Date:
Dec 2017
Location:
Brazil
Summary
A hacker using the alias "DFrank" leaked personal data belonging to over 17,000 customers of the e-commerce platform Netshoes, posting the information on Pastebin. The attacker claimed to have exploited vulnerabilities in the company's systems through a technique called fuzzing to access the source code, intending to expose corporate assurances of data security as misleading. While the compromised data did not include banking details, credit card information, or account passwords according to the company, cybersecurity experts warned that the exposed personal information could facilitate social engineering attacks, such as identity theft or credential recovery scams. The company denied evidence of a system breach and suggested the data might have originated from phishing rather than a direct infiltration of its infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 5, 2017, a hacker using the alias "DFrank" publicly posted sensitive personal data belonging to 17,908 Netshoes customers across four documents uploaded to Pastebin. The attacker claimed to have obtained the records by exploiting vulnerabilities in the e-commerce platform's infrastructure, specifically referencing the use of fuzzing techniques to infiltrate the source code. DFrank explicitly stated the motivation was to challenge corporate assurances about consumer data security, declaring: "Queremos as companhias encerrem o discurso de que os dados de consumidores estão seguros. As pessoas não podem continuar sendo enganadas pelas empresas." The exposed datasets included customer names, email addresses, physical addresses, and purchase histories but notably excluded financial details like credit card numbers or banking credentials according to subsequent corporate statements. Cybersecurity researchers confirmed the authenticity of the leaked records, which created immediate risks of identity theft and targeted phishing campaigns against affected individuals.
Netshoes issued a formal denial of any successful intrusion into their systems, asserting no forensic evidence supported claims of a direct breach and suggesting the data exposure might instead stem from phishing attacks against customers. The company emphasized that critical authentication elements (passwords) and payment information remained uncompromised while reaffirming their commitment to infrastructure security. Independent analysis by Morphus Labs researcher Renato Marinho outlined significant secondary risks, noting that even non-financial data could enable extensive social engineering attacks ranging from fraudulent bank account openings to credential recovery scams targeting victims' online services. The incident amplified existing public concerns about e-commerce data stewardship in Brazil, though Netshoes maintained operational continuity without reporting further unauthorized access events linked to the leak. The hacker did not issue additional communications or demands following the initial data dump, leaving unresolved questions about the exact exfiltration method given the conflicting accounts between DFrank's intrusion claims and the company's phishing hypothesis.