MyDeal Hacked – Over 2.2M Users Data Advertised For Sell on a Hacker Forum

MyDeal, a subsidiary of the Woolworths Group disclosed a data breach that impacted more than 2.2 million customers. Reports say the hacker was attempting to sell the stolen data on a hacker forum.

In September 2020, 80% of MyDeal were acquired by Woolworths, nevertheless Woolworths was not impacted by the security breach.

“A compromised user credential was used to gain unauthorized access to its Customer Relationship Management system resulting in unauthorized access to some customer data within our network”, according to the data breach notification published by the company.

The hackers gained access to the MyDeal Customer Relationship Management (CRM) system by exploiting a user’s compromised credentials. That is the system they use to take customer support calls.

Over 2.2 Million Customers Were Impacted By the Data Breach

The company says the data breach affected 2.2M consumers and exposing information such as names, email addresses, phone numbers, delivery addresses, and in some cases, birth dates exposed in the attack.

For 1.2 million customers, only the email addresses were exposed in the breach. MyDeal stated that no customer account passwords or payment details have been compromised in this breach.

“MyDeal is contacting all affected customers by email. If you have not been contacted by MyDeal you have not had your details accessed in the incident, as the large majority of our customers are not affected by this incident”, reads the data breach notification.

Hackers Selling the Stolen Data on the Hacker Forum

Report say the hacker behind the breach began selling the stolen data on a hacking forum for $600.

MyDeal data for sale on a hacking forum
MyDeal data for sale on a hacking forum

The hacker also shared screenshots of what they claim are the company’s Confluence server and a single-sign-on prompt for the company’s AWS account. Further, the hacker released samples of the stolen data, exposing the personal information of 286 alleged MyDeal customers.

As soon as the company was aware of the breach they blocked the access to all affected systems. The company notified all relevant authorities and ensure to assist with their inquiries into the matter.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.