Cyber Incident Victim: Peatix

In early November 2020, a hacker leaked the personal data of over 4.2 million users from Peatix, an event management platform operating primarily in Asia and the United States. The leaked dataset included full names, usernames, email addresses, and salted and hashed passwords. The attacker advertised the stolen information through Instagram stories, Telegram channels, and multiple hacking forums. Analysis of the data samples revealed that most affected users had Asian names, reflecting Peatix's operational footprint after its 2011 launch in Japan and subsequent expansions to Singapore (2013) and other regions. ZDNet first notified Peatix about the potential breach in early November but received no initial response. The leak's advertisement on underground platforms suggested broader circulation among cybercriminal networks before public disclosure.

Peatix publicly acknowledged the breach in late November 2020 via a website statement, confirming unauthorized access to its systems. The company stated it had identified the intrusion vector, blocked further access, and initiated password resets for all affected accounts through email notifications. According to Peatix's investigation, no financial information was compromised due to reliance on third-party payment processors, and no evidence indicated theft of event participation histories, questionnaire responses, phone numbers, or physical addresses. A hacker claiming responsibility for the leak clarified to ZDNet that they were not the original attackers but had redistributed the data to undermine a competing breach broker. The incident exposed millions of users to credential-stuffing risks despite password hashing, while Peatix's delayed public response extended the period between breach detection and mitigation.