Cyber Incident Victim: Geekie.com.br
Date:
Oct 2020
Location:
Brazil
Summary
A threat actor offered stolen user databases from multiple companies for sale, including Geekie.com.br, which had approximately 8.1 million records compromised. The exposed data encompassed emails, usernames, names, dates of birth, CPF numbers, and passwords hashed with bcrypt-sha256/sha512 algorithms. The seller claimed to act solely as a broker for these breaches, aggregating databases from seventeen entities totaling 34 million records, with other impacted organizations experiencing varying exposures such as email addresses, payment details, social media identifiers, and differently hashed or encrypted credentials. While one company acknowledged the breach publicly, most had not confirmed incidents at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised stolen user databases from seventeen companies for sale on a hacker forum, aggregating approximately 34 million records. The seller acted as a data breach broker rather than the original attacker, offering databases obtained through undisclosed compromises. Among the affected entities was Geekie.com.br, a Brazilian educational platform, which accounted for 8.1 million exposed records—the largest single dataset in the collection. The broker provided samples and details of the stolen data, which for Geekie included emails, usernames, full names, dates of birth, CPF (Brazilian tax ID) numbers, and passwords stored using bcrypt-sha256 or bcrypt-sha512 hashing. Other prominent victims included Clip.mx (4.7 million records), Wongnai.com (4.3 million), and Cermati.com, with varying combinations of exposed personal and authentication data across the seventeen organizations. Only RedMart.lazada.sg had publicly acknowledged a breach at the time of reporting, while most others, including Geekie, had not confirmed compromises.
The exposure of CPF numbers and birthdates in Geekie’s dataset posed significant risks of identity fraud under Brazilian law, as CPFs serve as universal identifiers for financial and governmental services. Password hashes across all affected organizations used diverse cryptographic methods—ranging from strong bcrypt implementations to weak MD5 hashing in cases like Eatigo.com and Athletico.com.br—potentially enabling credential-stuffing attacks if cracked. The broker historically sold such databases through private transactions priced between $500 and $100,000 before eventual public release, amplifying secondary exploitation risks. No containment measures or detection timelines were disclosed for Geekie or most other entities. The cumulative impact spanned multiple sectors—e-commerce, education, finance, gaming, and hospitality—with compromised data types including payment card details (RedMart), social media tokens (Eatigo), and tax IDs (Cermati, Athletico). BleepingComputer verified samples from several datasets but did not observe Geekie’s operational status or user notifications at the time of publication.