An alleged cyber heist may have exposed the data of 700 million Pinduoduo users. The company denies any breach calling it “entirely false.”
Babuk, the cybercriminal gang behind the alleged ransomware attack, has listed Chinese online retailer Pinduoduo as a victim on its dark web leak site.
However, the alleged victim was dismissive of hacker claims, calling the whole affair a fabrication.
“Not a single piece of this fabricated data matches our transaction records,” the company’s spokesperson told Cybernews.
The platform is the largest product of Shanghai-based PDD Holdings, which also owns the popular e-commerce marketplace Temu.
According to the hackers’ message, cybercriminals hold an 892GB dataset, with data on nearly 700 million people. As claimed, the stolen data includes:
- Customers' names
- Phone numbers
- Addresses
- Order IDs
- Items purchased
- Prices
- Time of purchase
Exposing such data could potentially cost users extra money, as it is a treasure trove for cybercriminals. They could exploit the detailed information about user purchases to craft convincing phishing attacks.
Email campaigns with, for example, fake requests to update delivery addresses might catch customers unprepared. Prompted to press malicious links, customers could reveal their passwords or download malware onto their devices that could later wipe their financial accounts.
The company calls the data fabricated
Pinduoduo’s spokesperson told Cybernews that the company employs industry-leading data protection measures, and their security team has thoroughly investigated the alleged data breach.
The company states that claims of a ransomware attack are “entirely false” and blames it on a competitor “resorting to underhanded tactics to smear a rival.”
“This so-called ‘leaked data’ is a recycled hoax from November 2023 that was comprehensively debunked at the time. Not a single piece of this fabricated data matches our transaction records,” said the spokesperson in a statement.
“We will not tolerate deliberate attempts to spread falsehoods, mislead the public, or damage our reputation. Those responsible for fabricating and amplifying these lies – whether for profit or malicious intent – will be held accountable,” said the spokesperson.
The current alleged ransomware claim is not a stand-alone case. In 2024, an unknown threat actor on an illicit marketplace claimed to possess 87 million lines of Temu users’ personal data.
However, a Temu spokesperson told Cybernews that after the investigation, they concluded that not a single line of data disseminated by an unknown threat actor matched its actual records.
Who is the Babuk ransomware gang?
The Babuk gang has also listed other high-profile companies, Taobao, Orange, and JD.com, supposedly referring to alleged ransomware attacks against them. Cybernews has not received a comment from these companies yet.
Ransomware gangs often list the victims on their dark web leak sites, attempting to muscle organizations into paying a ransom or facing a damaging leak of stolen data. If the company refuses to pay the ransom, the stolen dataset is publicly released, as happened in this case.
Babuk ransomware initially appeared in 2020, with researchers linking the group with Russia-linked cybercriminal organization Evil Corp as well as ransomware behemoths Ryuk and Sodinokibi. Last year, the UK's National Crime Agency slapped a dozen of Evil Corp‘s members with financial sanctions.
However, Babuk was inactive for nearly a year and resurfaced in January 2025. According to Cybernews' dark web monitoring tool, RansomLooker, the gang has already listed 87 victims on its leak site and claimed over 30 organizations in March this year alone.
Updated on March 18th with the company's statement.
Your email address will not be published. Required fields are markedmarked