Katapult.com

Katapult.com, a United States-based organization, was identified as a victim in a significant data aggregation incident reported in late October 2020. During this event, a threat actor acting as a broker advertised for sale on a hacker forum a consolidated dataset containing approximately 34 million user records stolen from seventeen different companies, with Katapult.com's data included within this collection. The broker's offering comprised email addresses and passwords, with Katapult's specific subset indicating that passwords were protected using the PBKDF2-SHA256 hashing algorithm. The advertised data also potentially included other personal identifiers such as names and phone numbers, varying across the different source breaches that were aggregated. This incident highlighted a common threat landscape where multiple historical breaches are compiled and monetized by intermediaries, often before the originally affected organizations become aware of the new, consolidated exposure. At the time of the report, while one of the seventeen impacted organizations had publicly acknowledged the compromise, most, including Katapult.com, had not confirmed the incident, suggesting a lag between the broker's activity and corporate detection or disclosure. The broker's model involved private sales of these aggregated datasets, with a potential for subsequent public release, thereby increasing the risk and scale of exposure for the affected user bases across all named entities.

The nature of the data offered for sale, particularly the inclusion of hashed passwords, points to a compromise of authentication databases rather than merely user-submitted information. The use of PBKDF2-SHA256, while a key derivation function designed to be computationally intensive to resist brute-force attacks, still represents a credential security control that was ultimately bypassed in the initial breaches. This incident underscores the persistent risk of credential reuse and the long-term vulnerability posed by password hashes, even when modern algorithms are employed, if the underlying database is exfiltrated. The broker's aggregation of disparate breaches into a single, large-scale offering amplifies the potential harm for individual users, as a single email address might appear in multiple datasets from different companies, linking otherwise separate online identities. For Katapult.com, the specific exposure meant its users' email addresses and their corresponding PBKDF2-SHA256 hashed passwords were part of this illicit marketplace, necessitating a review of authentication security and potential user notification protocols. The broader context of the broker's activity, selling prior to any public release, indicates a sophisticated monetization strategy within the cybercrime ecosystem that prioritizes profit through discreet, high-value transactions to other malicious actors before law enforcement or security researchers can intervene. This method of operation complicates incident response for victim organizations, as the initial breach may have occurred years prior, and the new aggregation represents a secondary, unauthorized distribution of already stolen data.