Cyber Incident Victim: Apps-builder.com
Date:
Oct 2020
Location:
Brazil
Summary
A threat actor brokered the sale of stolen user databases from seventeen companies, including Apps-builder.com, aggregating approximately 34 million records. The broker, not responsible for the original breaches, offered datasets containing emails, passwords hashed with various algorithms (including MD5crypt for the affected company), and additional personal identifiers such as names, contact details, and national ID numbers. While some impacted entities acknowledged compromises, others remained unconfirmed. The incident exposed credentials and sensitive user information, heightening risks of credential-stuffing attacks due to password reuse across services. Stolen data from multiple entities was marketed collectively, with private sales preceding potential public releases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of stolen user databases from seventeen companies on a hacker forum, aggregating approximately 34 million compromised records. Among the affected entities was Apps-builder.com, whose user data was listed alongside sixteen other organizations including Geekie.com.br, Clip.mx, and Wongnai.com. The seller, acting as a data breach broker rather than the original attacker, claimed no direct involvement in the intrusions but facilitated the sale of the stolen datasets. The Apps-builder.com breach exposed user emails and passwords hashed using MD5crypt, though the exact number of affected accounts was not specified in the broker's advertisement. The seller provided samples of the stolen data to potential buyers, confirming the types of compromised information for each company. While Singaporean grocery delivery service RedMart publicly acknowledged a breach during this incident, Apps-builder.com did not issue any verified disclosure or confirmation at the time of reporting. The broker typically sold such databases through private transactions, with historical pricing for similar datasets ranging from $500 to $100,000 before eventual public release on forums.
The exposure of Apps-builder.com credentials created risks of credential stuffing attacks due to password reuse across services, particularly given the use of MD5crypt—a hashing method considered cryptographically weak by modern security standards. The compromised data could enable unauthorized access to user accounts on Apps-builder.com and other platforms where victims reused identical credentials. No containment measures, forensic findings, or remediation efforts by Apps-builder.com were documented in the available reports. The incident formed part of a broader pattern where multiple organizations across e-commerce, education, and entertainment sectors suffered data breaches, with stolen records aggregated by brokers for bulk sale. Impacts extended beyond Apps-builder.com to include 16 additional companies spanning ten countries, exposing diverse personal information including tax IDs, credit card details, and social media tokens depending on the specific breach. The broker's advertisement remained active as of October 31, 2020, with no indication of law enforcement intervention or data removal from the marketplace at the time of reporting.