22 million users at risk? Paidwork data allegedly up for sale on hacker forum

Published: 2 April 2026
Paidwork

A hacker’s post on an underground forum is stirring unease across the gig economy, claiming that millions of Paidwork users who signed up for easy earnings may now have their personal and financial data circulating for sale.

A listing has appeared on a well-known hacker forum involving a threat actor claiming to be auctioning off the personal data of 22 million Paidwork users. Paidwork is a micro-task platform that promises easy earnings for small digital jobs.

Paidwork claims a user base exceeding 25 million worldwide, though public figures vary across platforms. Mobile app store listings cite more than 4 million users, while LinkedIn descriptions reference upwards of 15 million freelancers.

ADVERTISEMENT

The platform has increasingly targeted the United States market through its advertising services.

paidwork breach
Entry on the hacker forum. Screenshot by Cybernews

What is Paidwork?

The platform’s ecosystem revolves around six core categories of work: playing games, watching ads, completing surveys, shopping through cashback links, testing applications, and referring new users.

Individual tasks typically yield anywhere from a few cents to a dollar, with users required to accumulate at least $10 before withdrawing earnings.

Founded in 2018 as Zareklamy in Poland, it operated under a different name before rebranding and establishing US operations. The platform expanded to the US market with formal LLC registration in November 2024 and remains operational as of April 2026.

What data has been stolen?

To back up their claims, the threat actor posted screenshots of a database allegedly extracted from the platform.

ADVERTISEMENT

Researchers from Cybernews reviewed the listing and said the sample provided by the seller contains a partial SQL dump.

According to our researchers, the sample includes five database tables with limited entries, each containing between 10 and 20 lines of data.

The database includes a range of sensitive data, such as:

  • Email addresses
  • Password hashes
  • Full names
  • Physical addresses
  • Device and location data
  • In some cases, partial banking details. Some records reference bank account numbers, while others point to financial platforms linked via email.

Still, the headline claim “22 million users” remains unverified, and the full scope of the alleged breach is unknown. The threat actor has not posted any other breaches on the hacker forum before this entry.

“We cannot confirm the claim that 22 million users are affected at this stage,” the Cybernews research team noted.

As of now, Paidwork has neither confirmed nor denied the alleged breach. Cybernews has reached out to the company for comment.

paidwork breach sample
Entry on the hacker forum. Screenshot by Cybernews

If proven legitimate, the breach could have severe implications for platform users. The exposed information could enable identity theft, targeted social engineering campaigns, financial fraud, and reconnaissance for future cyberattacks.

Even partial datasets can serve as building blocks for more sophisticated exploitation attacks, our researchers warn.

ADVERTISEMENT

Job platforms have been a target for attackers

Online job platforms are highly valuable targets for attackers, as they store troves of personal data from job seekers. And, in some cases, they’re also linked to digital wallets and financial information, which could be drained and exploited.

While storing such sensitive data, not all platforms ensure top-notch security. Previous research by Cybernews found that job platforms themselves were leaving their systems passwordless, so attackers didn't need to make an effort to breach them.

For example, Foh&Boh, a US hiring platform used by KFC, Taco Bell, Hyatt Grand, and others, exposed millions of applicants’ resumes due to the unprotected AWS bucket.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Cybernews researchers also uncovered a massive data leak traced back to the HireClick recruitment platform, which helps businesses manage job listings, candidate applications, and the hiring process.

The company left over 5.7 million files of job seekers exposed due to a misconfiguration of an Amazon AWS S3 storage bucket.

European platforms are not immune either. beWanted, one of the largest employment platforms in Europe, exposed a bucket containing 1.1 million files of job seekers, including names and national ID numbers.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked