933K cracked passwords of Minted.com users available for sale
Minted.com is one of the famous online marketplace of independent artists and designers, headquartered at San Francisco, California, United States. During our research we have found “minted.com” customers credentials in the plain-text are being sold by an active threat actor goes by the name as “Megadimarus” on a leak forum.
The data set consists of 933K email with their respective passwords. This data seems to be from May 2020 data breach as reported officially by Minted.com on their website, which says that customer’s password is salted and hashed, but our research says otherwise.
We also tried to login on “minted.com” using few of the cracked credentials, and we were successful.
We were also able to see “order details”, “Account” and under “Account” it has “my profile”, which holds personal information of the user, including last four digits of their credit card. An important point which we noticed under “my profile”, it has a section called “connected accounts”, which says “Login with Facebook”.
Later, we tried to access the Facebook through the “connected accounts” using same credentials and we were surprise to see the results, here are the cases we found:-
- We were able land on Facebook “security code” page, which means password was same for Facebook and “minted.com”. Thank God! Facebook’s ‘2-Factor Authentication’ worked.
- For some credentials, it said its an old password,
- And for some, it said incorrect password.
Note:- It can be a huge concern for “minted.com” customers, considering privacy concerns.
Furthermore, we also got access to the “address book” of one of the “minted.com” user, which had ‘87 contacts’ and their addresses.
All these data leaks were part of the rampage started by “ShinyHunters” threat actor in May 2020 in which they were offering minted.com data for 2500 USD, as per BleepingComputer.
This blog is a part of an independent research which is done on a frequent basis to keep internet a safe place.
Security Chronicle is a team of independent security researchers and a dedicated security news platform to educate, aware netizen on security risks & threats.
Email us at “secchronicle@gmail.com”.