The Target: The PandaBuy online shopping platform.
The Take: The data contained approximately 1.5 million unique UserIds, First Name, Last Name, Phone Numbers, Emails, and Login IPs.
The Vector: "The data was stolen by exploiting several critical vulnerabilities in the platform's API and other bugs were identified allowing access to the internal service of the website," the threat actor said.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.