Cyber Incident Victim: RentoMojo
Date:
Apr 2023
Location:
India
Summary
RentoMojo, an Indian furniture rental platform, experienced a data breach after attackers exploited a cloud misconfiguration to access a customer database. The incident exposed personally identifiable information for over 150,000 subscribers, including email addresses. Subsequently, customers received blackmail messages from the threat actors, who threatened to release their stolen personal data publicly. The company confirmed financial information was not impacted and reported the incident to authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 20, 2023, the Indian furniture rental start-up company RentoMojo publicly disclosed that it had experienced a significant security incident. The company announced that its team had identified a security breach involving unauthorized access to one of its databases. According to the company's official statement, the attackers were able to gain this access by exploiting a cloud misconfiguration. RentoMojo described the attacks used to exploit this configuration weakness as being extremely sophisticated, which ultimately resulted in the breach of the database. The primary impact of this incident was on the company's customer data, which included personally identifiable information for a substantial number of subscribers.
While RentoMojo did not publicly disclose the precise scale of the breach in its initial communication, external reports based on the company's disclosure indicated that the incident impacted over 150,000 subscribers. The company was specific in stating that financial information, including customer credit card numbers, was not accessed or impacted during the breach. This suggests that the compromised database was segregated from systems processing or storing sensitive payment data, limiting the immediate financial risk to its customers. The focus of the breach was instead on personal data, though the company did not provide a detailed inventory of the specific data types that were exfiltrated.
Shortly after the breach was disclosed, evidence emerged on social media platforms that provided more context about the attackers and the scope of the stolen data. Individuals claiming responsibility for the attack identified themselves as Shiny Hunters, a threat actor group known for prior data breach incidents. Social media chatter, primarily on Twitter, revealed that the attackers had undoubtedly stolen a large cache of subscriber email addresses. This public revelation by the victims themselves began to paint a clearer picture of the attack's impact beyond the company's initial vague statement.
The incident escalated significantly when the stolen data was used for extortion purposes. Cybercriminals, believed to be the same Shiny Hunters group, began directly targeting the affected RentoMojo subscribers with blackmail messages. These messages were sent via email to the victims. The content of these emails threatened to release the victims' personal data publicly. The attackers claimed that this action was being taken because RentoMojo itself had not responded to their demands, implying that the company may have been extorted prior to the customers being targeted.
Victims took to social media to share their experiences and raise concerns about the breach of their privacy and security. One user tweeted about receiving disturbing news regarding the exposure of their confidential information and stated that hackers were now blackmailing them to release their personal data, which they characterized as a serious breach. Another user posted on Twitter that they had received an email stating their data was breached and that the sender claimed they would make the data public since the company did not respond to their demands. These firsthand accounts confirmed the malicious use of the exfiltrated data and the direct impact on individuals.
The exposure of personally identifiable information in such data breaches provides cybercriminals with significant leverage to carry out further attacks against affected users. This can lead to a severe compromise of an individual's privacy and can even extend to threats against their financial security. The data stolen in such incidents is often not used in isolation; it can be combined with additional information gathered from other online sources or previous breaches to create detailed profiles of the victims. These enriched profiles enable more sophisticated and targeted attacks, such as personalized phishing campaigns, identity theft, and other forms of digital fraud, making the long-term consequences for victims more severe and persistent.
In response to the incident, RentoMojo initiated an investigation to understand the full scope and cause of the breach. The company also reported the security incident to the relevant authorities, a standard procedure intended to engage law enforcement and regulatory bodies. The company's public statement served as its official disclosure and primary communication to its customer base regarding the event. However, the company's communication did not detail specific remedial actions taken for affected customers, such as offering credit monitoring services, nor did it elaborate on the immediate technical steps taken to contain the breach, such as securing the misconfigured cloud asset.
The aftermath of the breach highlighted the direct consequences of a cloud misconfiguration, a common but critical vulnerability. The attackers’ ability to exploit this misconfiguration points to a failure in security controls surrounding the company's cloud infrastructure. The fact that the breach was identified by the company's own team suggests that internal monitoring systems eventually detected the unauthorized access, though the timeline from initial compromise to detection was not publicly revealed. The subsequent use of the data for blackmail indicates that the attackers successfully exfiltrated the data and maintained control over it for a period long enough to make demands and then follow through on their threats against customers.
The RentoMojo incident serves as a factual case study of a data breach where the initial compromise led to direct secondary attacks on the victim population. The company’s confirmation that financial data was not involved was a key point, aiming to mitigate customer concerns about immediate monetary loss. However, the theft of personally identifiable information and its use in extortion campaigns created a tangible atmosphere of fear and uncertainty among its subscribers. The public reporting of the incident to authorities indicated a formal response was underway, but the continued investigation meant that a complete understanding of the breach was still being developed at the time of public disclosure. The long-term impact on the company's reputation and the digital security of its users remained a significant concern following the event.