Cyber Incident Victim: Coupontools.com
Date:
Oct 2020
Location:
Singapore
Summary
A threat actor advertised stolen user databases from seventeen companies for sale on a hacker forum, including Coupontools.com, with the broker claiming no direct involvement in the breaches but facilitating their sale. The compromised data for this victim involved emails and bcrypt-hashed passwords, while other affected companies suffered exposure of varying combinations of personal information such as names, contact details, financial data, government identifiers, and differently hashed or encrypted passwords. While one company acknowledged the breach, most had not confirmed incidents at the time of reporting, with stolen records typically transitioning from private sales to public release over time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of 34 million user records purportedly stolen from seventeen companies on a hacker forum, with Coupontools.com among the affected entities. The seller operated as a data breach broker rather than the original attacker, facilitating the sale of databases obtained through undisclosed compromises. The aggregated datasets contained varying combinations of personally identifiable information, with Coupontools.com's breach exposing user email addresses and passwords protected using bcrypt hashing. Other impacted organizations included Geekie.com.br (8.1 million records), Clip.mx (4.7 million), Wongnai.com (4.3 million), and RedMart, the latter being the only company confirmed to have publicly disclosed a breach at the time of reporting. The broker provided samples of the stolen data to potential buyers but did not reveal how the breaches occurred or when they took place.
The incident exposed authentication credentials and sensitive personal data across multiple industries, including e-commerce platforms like RedMart (which suffered credit card detail exposure) and Brazilian educational service Geekie.com.br (which lost CPF national identification numbers). For Coupontools.com, the compromise specifically involved email credentials with bcrypt-protected passwords, though the exact number of affected users remained unspecified within the broader 34-million-record dataset. Security researchers monitoring the forum observed that such databases typically undergo private sales before eventual public release, with historical pricing ranging from $500 to $100,000 per dataset. While most companies had not acknowledged breaches by October 31, 2020, the public disclosure of the sale prompted third-party security advisories urging users to change passwords and avoid credential reuse across services. The cumulative impact spanned multiple geographic regions and service sectors, with compromised data types including financial information, government-issued identifiers, social media tokens, and varied password hashes ranging from relatively weak MD5 to stronger bcrypt implementations.