Cyber Incident Victim: Everything5pounds.com
Date:
Oct 2020
Location:
Singapore
Summary
A data breach exposed customer records from Everything5pounds.com, among 16 other companies, with stolen databases collectively containing 34 million user records offered for sale by a broker on a hacker forum. The compromised data included emails, hashed passwords, names, gender information, and phone numbers. The broker claimed no involvement in the original breaches, acting solely as a reseller of the stolen information. Other affected entities included retailers, service platforms, and websites, with exposed details varying by organization but commonly encompassing credentials, personal identifiers, and in some cases financial or tax data. The incident highlighted risks associated with credential reuse across multiple services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised stolen user databases from seventeen companies for sale on a hacker forum, aggregating approximately 34 million compromised records. The seller operated as a data breach broker rather than the original attacker, facilitating the sale of databases obtained from third-party breaches. Among the affected entities was Everything5pounds.com, a UK-based fashion retailer, whose exposed data included customer emails, hashed passwords, full names, gender information, and phone numbers. The broker did not disclose the specific number of records compromised at Everything5pounds.com or the exact breach methodology. Other prominent victims included Geekie.com.br (8.1 million records), Clip.mx (4.7 million), and Wongnai.com (4.3 million). RedMart publicly acknowledged its breach, but most listed companies, including Everything5pounds.com, had not confirmed incidents at the time of reporting. The seller provided samples verifying the data’s authenticity, with password hashing algorithms varying across victims—though Everything5pounds.com’s specific hashing mechanism remained unspecified beyond being categorized as “hashed.”
The aggregated databases contained diverse personal identifiers across companies, including payment card details from RedMart, CPF numbers from Brazilian sites, and social media tokens from Eatigo.com. Stolen records typically entered private sales first, with historical pricing ranging from $500 to $100,000 per database before eventual public release. The broker’s advertisement indicated all seventeen datasets were available for immediate purchase, though no specific timeline or pricing for Everything5pounds.com’s data was disclosed. No containment measures or forensic findings from Everything5pounds.com were reported in the source material. The cumulative exposure created credential-stuffing risks due to password reuse across platforms, though no downstream fraud incidents were explicitly linked to the Everything5pounds.com breach in the available data. The fashion retailer’s public response status remained unverified as of October 31, 2020, when the broker’s activities were documented.