Cyber Incident Victim: W3layouts
Date:
Oct 2020
Location:
Singapore
Summary
A threat actor offered stolen user databases from seventeen companies for sale, including W3layouts, collectively containing approximately 34 million records. The broker claimed no direct involvement in the breaches but facilitated the sale of datasets comprising emails and hashed credentials—specifically bcrypt-protected passwords for W3layouts—alongside varying personal identifiers across affected entities. While one company acknowledged unauthorized access, most victims had not publicly confirmed compromises at the time of reporting. The incident highlighted broader risks of credential reuse, as attackers frequently monetize such stolen data through private sales before potential public leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of stolen user databases from seventeen companies on a hacker forum, aggregating approximately 34 million records. The seller operated as a data breach broker rather than the original attacker, facilitating transactions for databases allegedly obtained through prior compromises. Among the affected entities was W3layouts.com, a web design platform, whose exposed data included user emails and passwords hashed with bcrypt encryption. The broker’s forum post listed additional victims such as Geekie.com.br (8.1 million records), Clip.mx (4.7 million), Wongnai.com (4.3 million), and RedMart.lazada.sg, with stolen data types varying by organization. For W3layouts, the breach did not include supplementary personal identifiers beyond emails and passwords, unlike other targets where names, phone numbers, tax IDs, or payment card details were compromised. The seller indicated that databases were available for private purchase, aligning with common underground practices where breaches are initially monetized before potential public release. No specific ransom demands or pricing for W3layouts’ data was disclosed in the forum activity described.
The incident’s impact centered on credential exposure, with multiple organizations’ users facing heightened account takeover risks due to password reuse vulnerabilities. RedMart.lazada.sg publicly acknowledged its breach, confirming unauthorized access to customer emails, addresses, phone numbers, and credit card data, but W3layouts and most other listed companies had not issued statements by the article’s publication date (October 31, 2020). The broker provided technical specifics about the stolen data to potential buyers, including password hashing algorithms like bcrypt (used by W3layouts, Cermati.com, and Invideo.io), MD5 (Eatigo.com, Wongnai.com), and SHA variants. Security researchers monitoring the forum urged affected users to reset passwords, particularly for accounts sharing credentials across multiple services. The cumulative scale of the 17 breaches underscored persistent threats to consumer data aggregation, though W3layouts’ specific user notification or remediation steps remained undocumented in available sources at the time.