Cyber Incident Victim: Invideo
Date:
Oct 2020
Location:
Singapore
Summary
A threat actor advertised the sale of 34 million user records allegedly stolen from seventeen companies, including Invideo.io, via a hacker forum. The compromised data across affected organizations encompassed emails, variously hashed passwords, and personal identifiers such as names, phone numbers, addresses, and national identification numbers, with some breaches exposing financial details or social media tokens. While one company acknowledged the incident, most had not confirmed breaches at the time of reporting, and the seller claimed to act solely as a broker for the stolen databases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a threat actor advertised the sale of stolen user databases from seventeen companies on a hacker forum, aggregating approximately 34 million compromised records. The seller, acting solely as a data breach broker rather than the original attacker, claimed no involvement in the actual intrusions but offered the datasets for private sale, with historical pricing for similar breaches ranging between $500 and $100,000. Among the affected entities was Invideo.io, a video creation platform, whose exposed data included user email addresses and passwords hashed using bcrypt. The broker provided samples and descriptions of the stolen data for each company, though Invideo.io had not publicly acknowledged the breach at the time of the report. Other prominent victims included Geekie.com.br (8.1 million records), Clip.mx (4.7 million), Wongnai.com (4.3 million), and RedMart.lazada.sg, the latter of which had confirmed a breach. The datasets varied in content, with some containing highly sensitive information such as credit card details, tax identifiers, social media tokens, and personally identifiable information like CPF numbers (Brazilian taxpayer IDs) and dates of birth.
The incident exposed systemic risks stemming from credential reuse, as compromised emails and password hashes from Invideo.io and other platforms could facilitate credential-stuffing attacks against users’ other accounts. While bcrypt hashing (used by Invideo.io, Cermati.com, and others) is considered robust against brute-force attacks, weaker hashing algorithms like MD5 (employed by Eatigo.com, Wongnai.com, and Athletico.com.br) increased the vulnerability of affected users. The broker’s public listing indicated that the datasets were initially being marketed for exclusive private sales, following a common pattern where stolen data is monetized before eventual public release. No specific details regarding the intrusion methods, timeline of the breaches, or containment measures by Invideo.io were disclosed in the available information. The cumulative scale of the aggregated datasets underscored the persistent threat of mass data exfiltration targeting diverse industries, with compromised entities spanning e-commerce, education, finance, gaming, and digital services across multiple geographic regions.