Private data allegedly belonging to more than 230,000 Puma customers in Chile has been found on a hacker forum.
A threat actor has listed an 84MB-strong dataset for sale that allegedly belongs to the multinational sportswear manufacturer.
The cybercriminal or criminals behind the dataset listing claim that it is from Puma’s Chilean e-commerce website, although at the time of writing Cybernews was unable to independently verify this.
The leaked database included customers' names and contact information, such as emails, telephone numbers, and billing and shipping addresses. It also contained details about their purchases – order numbers, payment methods, total monies paid, shipping costs, and discounts.
Puma’s representatives told Cybernews that the company was “currently investigating a data leak at its Chilean e-commerce site to establish what data has been leaked and how this could have occurred.”
Puma’s alleged data leak is dangerous since it allows threat actors to launch targeted phishing campaigns.
“They could send texts and emails pretending to be from Puma, and use the information found in this dump to gain trust – for instance they can use valid order numbers or names,” said Aras Nazarovas, a researcher at Cybernews.
He added: “They could also use this information in combination with partial credit card information that the victim might have had leaked previously to purchase items with the victim's card."
According to Cybernews researchers, leaks like these are frequent, showing that e-commerce websites are low-hanging fruit for cybercriminals. As there is an increasing number of threat actors trying to exploit such sites, developers should pay attention to implementing security measures.
If proved to have happened, the leak will not be the first to affect the sportswear giant. In 2022, Puma was struck by a data breach due to a ransomware attack on Kronos, one of its HR management providers. Threat actors managed to obtain employee personal data, including social security numbers.
Kronos was hit by a ransomware attack in December 2021, disrupting its clients' access to staff management and payroll processing. The severity of the attack meant employees in the US were left without paychecks for weeks afterwards.
More from Cybernews:
Subscribe to our newsletter