April 10, 2020 • RBS

Categories: Security News

The credentials of nearly 4 million Quidd users have recently been discovered by our Data Breach Research team on a prominent deep web hacking forum. At this time, the leaked data has not been offered for sale but is available in a non-restricted manner.

Headquartered in Brooklyn, Quidd is an application designed for trading various digital collectibles with reportedly over 2.1 billion assets issued. According to CrunchBase, the marketplace app is backed by Sequoia and carries a post-money valuation in the range of $50M to $100M as of Nov 7, 2017.

The compromised data sets were originally posted on March 12th, 2020 and self-attributed to a threat actor named “Protag”. However, the files were quickly removed. The data resurfaced on March 29th, 2020 when it was reuploaded by a different user and has since remained available. One threat actor responded to the post stating that he has already cracked, or decrypted, nearly a million password hashes.

A Risk Based Security researcher, who monitors the forum, confirmed the posting came from a reliable source. After initial testing, the data appears to be valid. The leaked data sets include email addresses, usernames, and bcrypt hashed passwords of 3,954,416 users.

Moreover, the data leak contains more than a thousand professional email addresses related to well-known entities including:

  • AIG
  • Experian
  • Target
  • Microsoft
  • Accenture
  • Virgin Media
  • Tutanota
  • University of Pennsylvania

This creates a notable risk of business email compromise as well as potential spear phishing campaigns.

At this time Quidd has not responded to our email inquiries. We will update this post with new information if and when they do.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more