{ "id": "d94c9575-902a-4758-8409-16e8e0b1f7bc", "created_at": "2026-04-09T02:23:52.706928Z", "updated_at": "2026-04-10T03:36:01.405461Z", "deleted_at": null, "sha1_hash": "648e5faeebf9637d07772a666488985ae72f50cf", "title": "Hacked on Christmas, DEphoto starts notifying customers, only to be attacked again - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48502, "plain_text": "Hacked on Christmas, DEphoto starts notifying customers, only to\r\nbe attacked again - DataBreaches.Net\r\nPublished: 2025-01-01 · Archived: 2026-04-09 02:17:30 UTC\r\nThe threat actor known as 0mid16B contacted DataBreaches this morning to alert this site to a breach involving a\r\nU.K. photo business, DEphoto (DEphoto[.]biz). DEphoto is an established business for school, sports, club, and\r\nevent photography.\r\nAccording to 0mid16B, they attacked DEphoto on December 25, and acquired the personal information of\r\n555,952 customers, 429,597 orders with detailed personal information of 240,307 orders, and 16,213 records with\r\nplain text credit card details (full card numbers, expiration dates, and CVV codes). All told, they claim to have\r\nexfiltrated hundreds of gigabytes of photos and other data, including the firm’s library of photographs with\r\ncustomers’ children and events photos.\r\n0mid16B provided DataBreaches with a number of unredacted screenshots that appear to have been taken from\r\nDEphoto’s network. One screenshot indicates that dephoto[.]bak and dephoto[.]mdf databases with more than 12\r\nGB of data were among the accessed databases. Most screenshots related to customer orders and contained\r\ninformation with names, postal and email addresses, home and mobile telephone numbers, and in the case of\r\npeople responding to franchise promotions, IP addresses.\r\nScreenshot from database with full credit card numbers in plain text. Numbers and CVV codes\r\nredacted by DataBreaches.net\r\nA Second Attack Follows Shortly After the First\r\nAccording to 0mid16B, the first access was directly to the firm’s backend MSSQl server.\r\nhttps://databreaches.net/2025/01/01/hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again/\r\nPage 1 of 2\n\n0mid16B claims they informed DEphoto on December 25, and that the company allegedly “restored the system”\r\nbut “did not protect or monitor it.” As a result of their failure to protect the system or to pay the demanded\r\namount, 0mid16B hacked them for a second time on December 29.  The second attack reportedly used the\r\ncredentials from the DB user login to gain access to the front end.\r\nWhen asked how much payment they demanded, 0mid16B stated that they managed to talk to the firm’s IT\r\ndeveloper on WhatsApp on December 27, at which time, 0mid16B demanded 50,000 GBP ($62,741.16).  There\r\nwas no response.\r\nBased on reviews on TrustPilot, it appears the firm quickly began sending out email notifications to affected\r\ncustomers. Entries dated December 28 for “date of experience” report people getting notified and being upset that\r\nDEPhoto had retained their information for so long. As one disgruntled person wrote:\r\nYou took pictures at my sons football tournament 10 years ago, so why on earth are you still keeping\r\n(and now losing) my personal data?\r\nYour own Data Protection Policy states “Data retention:\r\nThe company will retain personal data for no longer than is necessary.”\r\nHow do you justify keeping my personal data for 10 years for the purchase of a couple of photos?\r\nDEphoto’s privacy policy page was last updated in May, 2018, when GDPR officially took effect.\r\nWhat’s Next?\r\n0mid16B tells DataBreaches that they will be listing the 500k customer database for sale and will leak the rest of\r\nthe data for free. Whether they follow through on that remains to be seen.\r\nAs of publication time, there is no notice or alert on DEphoto’s website about any incident.\r\nSource: https://databreaches.net/2025/01/01/hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again/\r\nhttps://databreaches.net/2025/01/01/hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://databreaches.net/2025/01/01/hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again/" ], "report_names": [ "hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again" ], "threat_actors": [ { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701432, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/648e5faeebf9637d07772a666488985ae72f50cf.pdf", "text": "https://archive.orkl.eu/648e5faeebf9637d07772a666488985ae72f50cf.txt", "img": "https://archive.orkl.eu/648e5faeebf9637d07772a666488985ae72f50cf.jpg" } }