Cyber Incident Victim: Skybound Entertainment
Date:
Apr 2023
Location:
United States of America
Summary
Skybound Entertainment suffered a data breach where attackers allegedly exfiltrated a database containing the personal information of approximately 200,000 website users, including names, phone numbers, email and home addresses. The stolen data also purportedly included employee emails and passwords, customer payment information with partial card digits, and the company's source code. The breach was potentially discovered when a leaky database was closed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 7th, 2023, Skybound Entertainment, a multiplatform entertainment company best known for creating The Walking Dead comic book series, appears to have identified and subsequently secured a database that was leaking data. The company, which was established by Robert Kirkman and David Alpert, did not publicly disclose the incident at the time it was discovered and contained. The nature of the database and the initial point of compromise were not detailed in public statements from the company.
Approximately one month later, on May 8th, 2023, an unknown attacker or group of attackers registered on an underground criminal forum. On that same day, this newly registered actor posted an advertisement for sale of data allegedly stolen from Skybound Entertainment. The advertisement claimed the dataset contained information from every user on the Skybound.com website, amounting to approximately 200,000 individual users. The specific user data listed for sale included first and last names, phone numbers, email addresses, and home addresses.
Beyond the general user data, the attackers also claimed the stolen information included data related to customer payments. They asserted to have access to information on 200,000 payments. As proof of their claims, the threat actors provided a data sample. This sample, which was reviewed by cybersecurity researchers, contained complete customer information from a single payment transaction. The information visible in the sample included a delivery address, shipping method, a detailed list of the goods purchased, and the last four digits of a payment card. However, the presence of only a single sample, contrasted with the claim of 200,000 accessible payments, led to analysis that the attackers could have been exaggerating their holdings or had accessed only a limited number of payment records.
The advertisement further alleged that the breach included the emails and passwords of Skybound employees. The attackers specifically highlighted that this employee data included information pertaining to celebrities. This claim was contextualized by noting that Robert Kirkman had recently worked on the comedy horror film 'Renfield', which starred Nicolas Cage and Nicholas Hoult, though no specific celebrities were named as being directly affected in the data sample. In addition to the personal and payment data, the threat actors also stated they had stolen Skybound’s source code. The theft of source code presents a severe security risk as it can expose a company's intellectual property and internal system data, potentially allowing malicious actors to study the code to craft targeted security exploits.
The asking price for the entire dataset was noted by researchers as being unusually low. This low price point was analyzed as potentially indicating that the sellers were inexperienced in the cybercriminal underground marketplace. An alternative analysis suggested the low price could signal that the data itself was considered to be of low quality or limited value by other criminal actors, though the contents as described contained significant personal identifiable information.
The method of intrusion was not definitively established. Analysis of the incident indicated that the attackers may have gained access to Skybound’s seller’s page by granting themselves administrator privileges while they still had access to the company's servers. The connection between this alleged method and the database that was secured on April 7th was not explicitly detailed. Skybound Entertainment did not respond to requests for comment from media outlets prior to publication, leaving the company's official perspective on the breach and the validity of the attackers' claims unstated.
The potential impacts of such a data leak are significant due to the types of personal information involved. Cybercriminals can utilize stolen personal information such as names, addresses, and phone numbers to commit various forms of fraud. This includes identity theft, sophisticated phishing attacks, opening new lines of credit or obtaining loans under false pretenses, and making unauthorized purchases. Even information that may seem insignificant on its own can be collated with other data points to create a more comprehensive profile of a victim, leading to a greater devastating impact. A common challenge following such incidents is that victims often remain unaware that their data has been compromised, which prevents them from taking actions to monitor their accounts and mitigate potential outcomes. The inclusion of the last four digits of a payment card, while not sufficient for direct financial fraud on its own, could be used to add a layer of credibility to social engineering attempts against the affected individuals.