Cyber Incident Victim: Wongnai

On October 28, 2020, a threat actor advertised the sale of stolen user databases from seventeen companies on a hacker forum, aggregating approximately 34 million compromised records. Among the affected entities was Thailand-based Wongnai.com, a food delivery and restaurant review platform, with 4.3 million user records exposed. The seller, operating as a data breach broker rather than the original attacker, claimed no direct involvement in hacking the companies and offered the databases for private sale. The Wongnai.com dataset included user email addresses, MD5-hashed passwords, and linked social media identifiers. This breach formed part of a broader campaign targeting multiple organizations across various sectors, including e-commerce, education, and entertainment platforms such as Geekie.com.br (8.1 million records), Clip.mx (4.7 million), and RedMart.lazada.sg. The broker provided technical specifications for each dataset, confirming the hashing algorithms and types of exposed personal information. While RedMart publicly acknowledged its breach, Wongnai.com and most other listed companies had not issued formal disclosures at the time of the forum activity. Stolen credentials from these breaches carried heightened risks due to the prevalence of password reuse across multiple services.

The exposure of MD5-hashed passwords from Wongnai.com posed significant security concerns, as this cryptographic algorithm is considered computationally weak and susceptible to brute-force attacks. The inclusion of social media IDs increased potential for cross-platform account takeover attempts and targeted phishing campaigns. The broker’s advertisement followed established underground market practices, where datasets are initially monetized through private sales before eventual public release. Historical pricing for similar breaches ranged from $500 to $100,000, though no specific valuation was disclosed for the Wongnai.com data. Security researchers monitoring the forum activity emphasized the operational impact of credential stuffing attacks leveraging these compromised records. The cumulative scale of the 34 million records across seventeen organizations represented one of the largest aggregated breach dumps observed in late 2020. Public advisories urged affected users to change passwords and implement unique credentials across online accounts, though no remediation measures specific to Wongnai.com were detailed in available reports. The incident underscored persistent vulnerabilities in credential storage practices across diverse digital platforms.