Cyber Incident Victim: Quidd

In late 2019, account details for approximately four million users of Quidd, an online collectibles marketplace, were compromised and subsequently circulated among cybercriminal networks. The breach first became visible through advertisements on hacking forums and Pastebin, with activity documented as early as October and December 2019, respectively. A threat actor using the alias ProTag claimed responsibility for the intrusion and initially offered the stolen dataset for private sale. Over subsequent months, the Quidd user information traded discreetly within high-level hacking groups before appearing more broadly on public forums by April 2020. The exposed records contained usernames, email addresses, and password hashes protected with the bcrypt algorithm. Three independent sources provided ZDNet with consistent samples of the dataset in April 2020, confirming its authenticity. Despite the prolonged visibility of the breach across criminal channels, Quidd had not issued any public security advisories or acknowledged the incident at the time of media reporting.

The compromised credentials presented reduced immediate risk due to bcrypt’s robust hashing implementation, which makes password reversal computationally impractical. Paradoxically, this strong cryptographic protection may have contributed to the data’s eventual public leakage, as threat actors likely determined the hashes held limited monetization value through cracking attempts. No evidence indicated exposure of financial data, payment systems, or unhashed credentials in the breach. Quidd’s operational systems and transactional infrastructure were not described as affected. The company did not respond to ZDNet’s request for comment regarding incident awareness or remediation steps. Users received public advisories from media outlets to proactively change account passwords as a precaution against potential credential-stuffing attacks leveraging the exposed email-password combinations.