Cyber Incident Victim: Clip.mx
Date:
Oct 2020
Location:
United States of America
Summary
A threat actor advertised the sale of 34 million user records allegedly stolen from 17 companies, including Clip.mx, which contributed 4.7 million records containing email addresses and phone numbers. The seller acted as a broker rather than the original attacker, offering databases from multiple victims with varying exposed information such as contact details, hashed passwords, and personal identifiers like tax numbers or social media credentials. While one affected company publicly acknowledged the breach, most had not confirmed compromises at the time of reporting. The aggregated datasets originated from diverse sectors and included both weakly and securely hashed authentication data alongside other sensitive user information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of stolen user databases from seventeen companies on a hacker forum, aggregating approximately 34 million compromised records. The seller identified themselves as a data breach broker rather than the original attacker, facilitating the sale of databases obtained from third-party breaches. Clip.mx was listed among the affected entities, with 4.7 million user records exposed. The broker indicated stolen datasets were typically sold privately for $500 to $100,000 before potentially being released freely on forums. Public disclosure occurred on October 31 when BleepingComputer reported the broker’s forum activity and verified partial claims through direct communication. The seller provided samples and metadata for each dataset, including Clip.mx’s breach, though no evidence suggested Clip.mx had acknowledged the incident at the time of reporting. Other companies like RedMart had confirmed breaches, while most others, including Clip.mx, remained unverified. The aggregated databases spanned multiple industries and geographic regions, with Geekie.com.br (8.1 million records) and Wongnai.com (4.3 million) representing the largest breaches after Clip.mx.
The Clip.mx breach exposed user email addresses and phone numbers, distinguishing it from other affected entities where password hashes, financial data, or national identifiers were compromised. For example, RedMart.lazada.sg’s dataset included SHA1-hashed passwords, addresses, and credit card details, while Geekie.com.br exposed bcrypt-protected passwords and Brazilian CPF tax numbers. Clip.mx’s comparatively limited data exposure reduced immediate credential-based risks but still enabled phishing and identity-targeted attacks. The broker’s advertisement emphasized the datasets’ freshness and completeness, though independent verification of these claims was not provided in the report. No containment efforts or technical mitigations by Clip.mx were documented. BleepingComputer’s article highlighted the broader pattern of breached data being monetized before public release, noting historical precedents for such broker activity. The cumulative impact affected 34 million users across diverse platforms, with password reuse across services amplifying potential secondary compromises.