Cyber Incident Victim: Kütübazár
Date:
Jul 2024
Location:
Hungary
Summary
A Hungarian webshop experienced a data breach where attackers compromised an employee's credentials to access customer names, email addresses, and shipping details, though financial data and passwords remained secure. Initially estimated to affect hundreds of thousands, subsequent investigations revealed only 221 legitimate users were impacted, with the majority of exposed records being test entries or fake data generated by bots. The company reported the incident to law enforcement and data protection authorities, notified affected customers, and implemented security upgrades including replacing its open-source operating system following a prior cybersecurity review that found no critical vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2024, Hungarian media reported a data breach involving Kütyübazár, a webstore operating since 2010, which exposed customer information through unauthorized access. According to cybersecurity researcher Fodor Dénes of White Hat IT Security, attackers obtained and offered for sale on the dark web a database containing names, email addresses, and delivery addresses linked to approximately 800,000–850,000 Hungarian users. The compromised records originated from 1 million order-related entries processed by Kütyübazár. Initial reports indicated the data was actively marketed by threat actors, with the seller claiming direct acquisition from the webstore. Kütyübazár confirmed unauthorized access occurred via credential compromise, stating an attacker illicitly obtained an employee’s password through criminal means and used it to extract customer shipping details. The company emphasized financial data and passwords remained secure, as payment systems operated on separate infrastructure. Upon discovering the breach, Kütyübazár filed a police report, notified Hungary’s data protection authority, and planned to email affected customers by August 2024.
Subsequent investigation revealed discrepancies in the scale of impacted users. Kütyübazár’s executive, Jakab László, clarified that fewer than 800,000 records contained genuine customer data, with the majority consisting of test entries or fake accounts generated by automated bots during system trials. Police forensic analysis identified only 221 verified users whose personal information was compromised in the breach fragment accessed by attackers. The company disclosed it had previously commissioned a cybersecurity audit that found no critical vulnerabilities but acknowledged the difficulty of preventing credential-based intrusions. In response to the incident, Kütyübazár upgraded its security infrastructure in 2024, replacing its entire open-source operating system while maintaining operations across approximately 300,000 annual orders. No evidence emerged of further misuse beyond the initial data exfiltration, though the stolen information remained publicly listed on dark web markets at the time of reporting.