Cyber Incident Victim: Athletico
Date:
Oct 2020
Location:
Brazil
Summary
A threat actor offered stolen user databases from seventeen companies for sale, including Athletico.com.br, with compromised data encompassing emails, MD5-hashed passwords, and CPF numbers. The broker claimed no direct involvement in the breaches but facilitated the sale of aggregated records totaling approximately 34 million, with impacted entities spanning multiple sectors and varying types of exposed information such as personal identifiers, payment details, and weakly protected credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of stolen user databases from seventeen companies on a hacker forum, aggregating approximately 34 million records. The seller, acting as a data breach broker rather than the original attacker, claimed possession of databases including Athletico.com.br alongside other entities such as Geekie.com.br, Clip.mx, and Wongnai.com. Athletico.com.br’s compromised dataset contained user emails, passwords hashed with the MD5 algorithm, and CPF (Cadastro de Pessoas Físicas) numbers, Brazil’s individual taxpayer identification. The broker did not disclose the method or timeline of the initial breach but indicated the data was obtained from third-party intrusions. Among the seventeen affected organizations, only RedMart had publicly acknowledged a breach at the time of reporting. The seller offered samples to potential buyers to verify the data’s authenticity, consistent with typical dark web sales practices where databases are initially monetized privately before potential public release.
The exposure of Athletico.com.br’s user data posed significant risks due to the inclusion of weakly hashed MD5 passwords and sensitive CPF identifiers. MD5’s cryptographic vulnerabilities increased the likelihood of password cracking, enabling credential-stuffing attacks across other platforms where users might have reused credentials. CPF numbers, being permanent and widely used for financial and governmental services in Brazil, heightened identity theft risks. The article did not document any public statement or remediation action by Athletico.com.br as of October 31, 2020. Broader impacts across all seventeen companies included potential financial fraud, account takeovers, and phishing campaigns leveraging the combined 34 million records. Security researchers emphasized the threat of password reuse but noted no evidence of subsequent misuse specific to Athletico.com.br at the time of reporting. The incident underscored patterns of centralized brokerage for multi-organization breaches and the delayed public disclosure by most affected entities.