Quidd Users Are Warned That 4 Million Login Details Were Leaked on an Underground Forum

Just like any other business, the trading of stolen data is impacted by a number of different factors. Many different people make up the supply chain, and everyone has a specific role. The nature of the data and its source decide how high the demand is, and based on it, the asking price is formed. A recent data breach discovered by RiskBased Security and reported by ZDNet can give you a pretty good insight into how things work.

Quidd has suffered a data breach

The discovery was made on March 12 when researchers from RiskBased Security spotted a post on a hacking forum from a user nicknamed ProTag. ProTag was offering a database containing the email addresses, usernames, and hashed passwords of just under 4 million users of a digital collectibles trading platform called Quidd.

According to ZDNet's investigation, ProTag is the hacker that actually broke through Quidd's defenses and stole the data back in 2019. March 12's post was unusual because normally, the hacker isn't the one distributing the data around. Usually, this is the job of the so-called traders who also get a share of the profit whenever budding cybercriminals and fraudsters decide to shell out on some stolen usernames and passwords.

One such trader told ZDNet that the Quidd database was traded long before ProTag posted it on the hacking forum. Apparently, the data was changing hands in privately negotiated transactions. Whether this has anything to do with it remains unknown, but ProTag's post didn't remain online for long. Shortly after RiskBased Security saw it, it was deleted.

In late-March, the ad was posted again on the same forum by a different individual, and ever since, the database has been shared and reshared numerous times. We should note that we're talking about a publicly accessible forum, and we should also point out that the Quidd account details are offered for free, which means that anyone with an internet connection could fire up their favorite browser and download them. But will they?

A strong hashing algorithm makes fraudsters’ lives harder

One of the first things we need to learn in the event of a password leak is how the login credentials were stored. Despite the countless warnings, some service providers continue to make basic password storage mistakes, and as a result, the people who buy login details on the dark web can easily compromise a large number of accounts and can conduct their scams through them. Luckily, Quidd isn't one of those providers.

The passwords were hashed with bcrypt – one of the most difficult to crack hashing algorithms. Turning bcrypt hashes back to clear text passwords is an extremely time- and resource-intensive process, and often, cybercriminals decide that the effort is just not worth it. Not in this case, though.

As RiskBased Security pointed out, Quidd users trade millions of dollars' worth of digital collectibles, and apparently, the crooks see this as a big enough incentive. Many of them have tried cracking the hashes, and it looks like some have already succeeded. One of ZDNet's screenshots shows that a hacker is offering around 137 thousand Quidd usernames and password pairs in plaintext, and according to RiskBased Security, another trader claims to have cracked over 1 million hashes. Of course, since they've gone through the trouble of de-hashing the data, these sellers won't give it away for free.

Quidd is still keeping quiet

Now that the data is in the public domain, Quidd can't do much to stop cybercriminals from sharing it among themselves. It can, however, inform its users about the incident and take steps to mitigate the potential consequences. For some reason, it appears to be doing neither of these things.

There is no official statement from the platform, and potentially affected users aren't getting any notifications. Both RiskBased Security and ZDNet wrote to Quidd with requests for comment, but the platform has preferred not to respond. Given the fact that some of the login credentials are traded in plaintext, a forced password reset for affected users sounds like a good call, but Quidd hasn't done that, either.

As you can see, even proper password storage isn't enough to stop determined cybercriminals sometimes, which means that behaving adequately in the aftermath of a data breach becomes even more important for affected service providers. Unfortunately, it looks like the people in charge of Quidd don't understand that.