Cyber Incident Victim: Katapult.com
Date:
Oct 2020
Location:
United States of America
Summary
A threat actor advertised stolen user databases from seventeen companies, including Katapult.com, for sale on a hacker forum, aggregating approximately 34 million records. The seller acted as a broker rather than the original attacker, offering datasets containing emails, variously hashed passwords, and in some cases personal identifiers like names, phone numbers, or financial details. Katapult's breach specifically exposed email addresses and passwords protected with PBKDF2-SHA256 hashing. While one impacted organization publicly acknowledged the incident, most had not confirmed compromises at the time of reporting. The datasets originated from disparate breaches and were being monetized through private sales prior to potential public release.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2020, a data breach broker advertised stolen user databases from seventeen companies for sale on a hacker forum, aggregating approximately 34 million compromised records. The broker clarified to BleepingComputer that they acted solely as a reseller and were not directly responsible for hacking the affected organizations. Katapult.com was identified among the victims, with its user database containing email addresses and passwords hashed using the PBKDF2-SHA256 algorithm. The seller did not disclose the exact number of records compromised from Katapult.com specifically, though the cumulative total across all seventeen companies suggested a significant breach. Other prominent victims included Geekie.com.br (8.1 million records), Clip.mx (4.7 million), Wongnai.com (4.3 million), and RedMart, the latter being the only organization confirmed to have publicly acknowledged the breach at the time of reporting. The broker offered these databases through private sales, with historical precedent indicating initial pricing between $500 and $100,000 per database before eventual public release.
The Katapult.com breach exposed user credentials but did not include additional personal identifiers such as names, addresses, or financial data based on the broker's listing. This contrasted with breaches like RedMart, which exposed credit card details, and Geekie.com.br, which compromised Brazilian taxpayer IDs (CPF numbers). The hashing algorithm used for Katapult.com passwords (PBKDF2-SHA256) represented a relatively robust protection method compared to weaker algorithms like MD5 observed in other breached entities such as Eatigo.com and Game24h.vn. No public statement from Katapult.com regarding the incident was documented in the source material, unlike RedMart's confirmed disclosure. The aggregated sale of multiple databases amplified risks of credential stuffing attacks due to potential password reuse across services. The broker provided sufficient sample data to verify the breaches' authenticity but did not reveal the original attack vectors or timelines for the individual compromises.