Cyber Incident Victim: Halara
Date:
Jan 2024
Location:
Hong Kong
Summary
Halara is investigating a data breach following the leak of nearly 950,000 customer records by a hacker known as 'Sanggiero,' who exploited an unfixed API vulnerability on the company's website. The exposed information includes names, phone numbers, addresses, and geographic details, with accuracy confirmed through victim verification. The threat actor publicly released the data on a hacking forum and Telegram channel, citing low resale value as motivation. The incident heightens risks of smishing attacks and potential fraud, as stolen customer data could facilitate targeted phishing or unauthorized purchases, mirroring tactics observed in other retail sector breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Halara, a Hong Kong-based athleisure clothing brand founded in 2020, began investigating a potential data breach in January 2024 after a threat actor named 'Sanggiero' leaked customer data on a hacking forum and Telegram channel. The leaked data, initially claimed by Sanggiero to contain one million records, was found in a text file with 941,910 entries containing first names, last names, phone numbers, home addresses, zip codes, provinces, cities, countries, and unique address identifiers. BleepingComputer verified the authenticity of the data by contacting multiple affected customers, who confirmed their personal information matched legitimate Halara purchase records. Sanggiero stated they obtained the data by exploiting an unfixed bug in an API on Halara's website, though they did not contact the company about the vulnerability prior to the leak. The threat actor justified releasing the data publicly by claiming it lacked sufficient value for sale, though the forum post contained an incorrect logo mistakenly using a cannabis company's branding instead of Halara's. The breach timeline indicates the data was posted in early January 2024, with Halara confirming awareness of the alleged theft and initiating an investigation following media inquiries.
The compromised customer information exposed affected individuals to potential smishing attacks targeting additional personal data like email credentials, which could enable further fraud or resale to other threat actors. BleepingComputer noted established criminal markets specializing in stolen retail accounts from companies including Saks 5th Avenue, Express, and Ulta Beauty, suggesting possible follow-on misuse scenarios involving fraudulent purchases. Halara's investigation remained ongoing at the time of reporting, with no public confirmation regarding remediation of the alleged API vulnerability or additional security measures implemented. The company's rapid growth through TikTok marketing prior to the incident contrasted with its breach response timeline, which began only after third-party validation of the leaked data's authenticity. No financial information or account credentials appeared in the sampled dataset, though the granular address details and phone numbers created significant phishing risks for the nearly 950,000 impacted customers.