Cyber Incident Victim: StorEnvy
Date:
May 2020
Location:
United States of America
Summary
A popular e-commerce platform suffered a breach resulting in the exposure of approximately 1.5 million customer and merchant accounts, with data leaked on a hacker forum. The compromised information included emails, plain-text passwords, full names, usernames, IP addresses, geographic locations, genders, social media profile links, and partial order details such as purchase dates and payment methods—though financial data and shipping addresses were not present. Credentials remained functional at the time of disclosure, suggesting recent compromise or prolonged password reuse by affected users. The leaked dataset, combining cracked and SQL database extracts, posed significant risks for credential-stuffing attacks, phishing campaigns, and identity theft across other services leveraging reused credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 7, 2020, the e-commerce platform StorEnvy suffered a data breach resulting in the exposure of approximately 1.5 million customer and merchant accounts. The compromised data, leaked on a hacker forum, included emails, plain-text passwords, full names, usernames, IP addresses, cities, genders, and links to social media profiles. Some records also contained order-specific details such as order dates, order numbers, and payment methods, though shipping addresses and payment card information were not present in the database. The plain-text storage of passwords significantly amplified risks, as attackers could immediately exploit credentials for unauthorized access. Affected individuals confirmed their StorEnvy account details matched the leaked data, suggesting the breach’s authenticity. The hacker responsible publicly shared samples of the database and asserted all passwords were valid and testable on StorEnvy’s live platform, though the exact timing of the breach remained unclear—credentials’ functionality indicated either a recent compromise or the inclusion of inactive accounts with unchanged passwords.
The incident exposed users to heightened risks of phishing, malware attacks, identity theft, and credential-stuffing attacks on other platforms where reused passwords might exist. StorEnvy customers were advised to immediately change their platform passwords and any identical email account passwords, while also contacting the company for breach-related inquiries. Media reports referenced an unverified August 2019 breach involving 23 million StorEnvy credentials sold on the dark web, though no conclusive evidence had emerged at that time. Hackread.com attempted to contact StorEnvy for official confirmation or additional details but received no immediate response. The breach occurred amid a broader trend of attacks targeting e-commerce entities, including a contemporaneous incident impacting Indonesian platform Tokopedia, where 91 million user records were compromised and sold.