{ "id": "614a9511-7c25-4c1c-a93e-10e6f13f45c0", "created_at": "2026-04-06T00:11:44.645695Z", "updated_at": "2026-04-10T03:31:42.277391Z", "deleted_at": null, "sha1_hash": "3fceaac79d10480fbcd497b41e1f4efe333cb2fe", "title": "Pandabuy was extorted twice by the same threat actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 368991, "plain_text": "Pandabuy was extorted twice by the same threat actor\r\nBy Pierluigi Paganini\r\nPublished: 2024-06-07 · Archived: 2026-04-02 12:26:56 UTC\r\nChinese shopping platform Pandabuy previously paid a ransom demand to an\r\nextortion group that extorted the company again this week.\r\nThe story of the attack against the Chinese shopping platform Pandabuy demonstrates that paying a ransom to an\r\nextortion group is risky to the victims.\r\nBleepingComputer first reported that Pandabuy had previously paid a ransom to an extortion group to prevent\r\nstolen data from being published, but the same threat actor extorted the company again this week.\r\nIn April, at least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of\r\nmore than 1.3 million customers on a cybercrime forum.\r\nThe member of the BreachForums ‘Sanggiero’ announced the leak of data allegedly stolen by exploiting several\r\ncritical vulnerabilities in Pandabuy’s platform and API. Sanggiero said that he breached the platform with another\r\nthreat actor named ‘IntelBroker.’\r\nStolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id,\r\nHome_address, Zip, and Country.\r\n“In April 2024, almost 3M+ rows of data from the store company Pandabuy was posted to a popular hacking\r\nforum. The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were\r\nidentified allowing access to the internal service of the website. The data contained 3M+ unique UserId, First\r\nName, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and\r\nhttps://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html\r\nPage 1 of 3\n\nso on. The website was breached by @Sanggiero and @IntelBroker.” reads the announcement published by\r\nBreachForums.\r\nThe data is available for sale on the cybercrime forum, Sanggiero published a sample as proof of the data breach.\r\nHIBP founder Troy Hunt confirmed that 1.3 million email addresses are valid, the remaining addresses are\r\nduplicates. Hunt added the leaked addresses to HIBP, users can check if they have been impacted in the incident.\r\nA company representative said on a Discord channel that the security breach took place in the past, he also added\r\nthat the company security team said no data breach took place this year.\r\nOn June 3, 2024, Sanggiero offered the entire database he had previously stolen from Pandabuy for sale at\r\n$40,000. The actor claims the database contains more than 17 million lines, greater than the initial dataset offered\r\nin April, which included 1.3 million lines.\r\n“A Pandabuy spokesperson admitted to BleepingComputer that they had paid the hacker an undisclosed amount\r\nto stop the data leak, adding that the threat actor may have shared the data with others, so they would no longer\r\ncooperate with him.” reported BleepingComputer.\r\nThe company attempted to downplay the incident saying that the data offered by Sanggiero is the same of the\r\nprevious leak\r\nPandabuy added that they could not continue paying ransom due to frozen funds, anyway they addressed the\r\nvulnerabilities exploited in the original attack. The company speculates the threat actors had “secretly sold” their\r\ndata to cybercriminals.\r\nPierluigi Paganini\r\nFollow me on Twitter: @securityaffairs and Facebook and Mastodon\r\n(SecurityAffairs – hacking, cybercriminals)\r\nhttps://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html\r\nPage 2 of 3\n\nSource: https://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html\r\nhttps://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html" ], "report_names": [ "pandabuy-extorted-again.html" ], "threat_actors": [ { "id": "0263e1e1-4568-410a-a5e4-6932db1d40da", "created_at": "2024-06-26T02:00:04.854969Z", "updated_at": "2026-04-10T02:00:03.667295Z", "deleted_at": null, "main_name": "IntelBroker", "aliases": [], "source_name": "MISPGALAXY:IntelBroker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434304, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fceaac79d10480fbcd497b41e1f4efe333cb2fe.pdf", "text": "https://archive.orkl.eu/3fceaac79d10480fbcd497b41e1f4efe333cb2fe.txt", "img": "https://archive.orkl.eu/3fceaac79d10480fbcd497b41e1f4efe333cb2fe.jpg" } }