Canadian retail chain Large Tiger disclosed a data breach in March 2024.
A risk actor has now publicly claimed duty for the data breach and leaked 2.8 million data on a hacker discussion board that they declare are of Large Tiger clients.
Data breach monitoring service HaveIBeenPwned has added the leaked database to its web site to make it straightforward for customers to examine if their info was compromised.
The low cost retailer chain operates over 260 shops and employs 8,000 folks throughout Canada
2.8 million buyer data leaked on-line
On Friday, BleepingComputer seen a submit titled “Large Tiger Database – Leaked, Obtain!” surfacing on a hacker discussion board.
The risk actor behind the submit claims to have uploaded the “full” database of Large Tiger buyer data stolen in March 2024.
“In March 2024, the Canadian low cost retailer chain Large Tiger Shops Restricted… suffered a data breach that uncovered over 2.8 million purchasers,” states the risk actor.
“The breach contains over 2.8 million distinctive e mail addresses, names, telephone numbers and bodily addresses.”
(BleepingComputer)
The stolen knowledge within the dump, claims the risk actor, moreover contains the “web site exercise” of Large Tiger clients.
“I lastly opened 60 of the 60 pages of the database part!” replied one discussion board member to the submit, with others requesting to preview a pattern of the information set. The risk actor obliged and posted a small snippet.
The info set has been leaked basically without spending a dime. Though the obtain hyperlink to the set must be unlocked by spending “8 credit,” such credit are sometimes trivially generated by discussion board members by, for instance, commenting on current posts or contributing new posts.
Menace actors typically breach corporations and steal delicate knowledge to blackmail them and extort cash. Failing profitable extortion, a risk actor might intentionally leak the stolen knowledge on-line or promote it off on darkish net marketplaces to patrons all for conducting id theft and phishing assaults.
Breach attributable to a third-party vendor
BleepingComputer has not verified the authenticity of the information set, nonetheless, we did attain out to Large Tiger with questions concerning the leak.
With out commenting on the authenticity of the leaked knowledge, a spokesperson responded:
“On March 4, 2024, Large Tiger grew to become conscious of security concern associated to a third-party vendor we use to handle buyer communications and engagement,” a Large Tiger spokesperson instructed BleepingComputer.
“We decided that contact info belonging to sure Large Tiger clients was obtained with out authorization. We despatched notices to all related clients informing them of the state of affairs.”
“No cost info or passwords have been concerned.”
Large Tiger declined to share the title of the third-party vendor in query.
Data added to HaveIBeenPwned
As of April twelfth, the leaked knowledge set has been added to the “Have I Been Pwned?” database.
HaveIBeenPwned (HIBP) is a free on-line service that enables customers to examine if their knowledge was compromised in recognized data breaches.
The variety of breached data related to this incident added to the HIBP database is 2,842,669, with the service stating that 46% of those data have been already in its database.
Large Tiger clients must be cautious of any suspicious emails or incoming communications that declare to be from the retailer. These might very probably be focused phishing makes an attempt from risk actors.
Though no cost info or passwords have been uncovered on this breach, signing up for an id monitoring service could possibly be helpful to clients in stopping them from changing into victims of id theft.
