Cyber Incident Victim: Sh0ping.su
Date:
Jun 2016
Location:
—
Summary
A dark net marketplace specializing in stolen accounts and hacked data was compromised, resulting in the theft and subsequent public leak of extensive user information. The breach exposed over 16,000 registered platform accounts, 15,000 additional credentials from external services stored on its servers, and approximately 9,000 credit card records containing CVV codes, expiration dates, cardholder names, and associated personal details including social security numbers, birthdates, and identification documents. Attackers initially attempted to sell the data before releasing it freely online. The platform temporarily went offline for maintenance following the incident. While the target itself facilitated cybercrime, the breach further endangered individuals whose stolen data had been aggregated on the service, compounding their original compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2016, the darknet marketplace Sh0ping.su (previously operating as ShOping.net) suffered a significant data breach resulting in the theft and public exposure of sensitive user information. Attackers compromised the platform’s servers, exfiltrating 16,566 registered Sh0ping.su accounts containing email addresses and encrypted passwords. Additionally, they stole approximately 15,000 user accounts originally obtained from third-party platforms—including Uber, PayPal, Amazon, Twitter, GoDaddy, cPanel, and WebMail—which Sh0ping.su had listed for sale. The breach also exposed 9,000 credit card records with full payment details: card numbers, CVV codes, expiration dates, cardholder names, card types, zip codes, and purchase dates. Further compromised data included 5,000 users’ personally identifiable information such as ID card numbers, Social Security numbers, dates of birth, phone numbers, physical addresses, and usernames. Cybersecurity firm Hacked-DB identified and validated the breach, confirming the authenticity of the leaked datasets. Following the intrusion, Sh0ping.su’s website became inaccessible for approximately 36 hours, reportedly for maintenance, before resuming operations.
The attackers initially attempted to monetize the stolen data by offering it for sale online but subsequently released it publicly without clear motivation. This incident represented a secondary victimization of individuals whose data had originally been stolen from other services and aggregated on Sh0ping.su for criminal trade. While the platform itself facilitated cybercrime—specializing in the sale of compromised accounts and cracked software—the breach compounded risks for affected individuals through the exposure of financial and identity data. The event mirrored a prior May 2016 breach of Nulled.io, another dark web forum dealing in stolen accounts and pirated software, which similarly lost its entire server data to hackers. No remediation efforts by Sh0ping.su beyond temporary downtime were documented in available reports. Hacked-DB’s analysis remained the primary third-party verification of the breach’s scope and validity, with no additional technical details regarding intrusion methods or infrastructure impacts disclosed.