The hacker had not discloses how he got the load, but claimed that the database included 895,000 gift cards from 3,010 companies, like Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. 

It seems that the database contained cards from thousands of brands and might have originated from an older breach that started at the now-defunct discount gift card shop Cardpool.

It’s common practice when selling data in bulk on hacker forums for the seller to set up an auction. This auction started at $10,000, with a buy-now option price of $20,000, therefore it did not take long for a buyer to pay for the entire load.

A threat intelligence firm, Gemini Advisory, says that usually, gift cards sell for 10% of their value, but in this situation, the asked price was significantly lower, around 0.05%.

This is raising some questions as giving them up for a very small fraction of their value is abnormal, and it could mean that the seller’s claim regarding $38 million could’ve been an overstatement made in order to get attention and find a buyer quickly, another reason for the small price could be the fact that the gift card validity rate was likely lower, with many of them being no longer active or having a low balance.

It looks like the seller might’ve been involved in the CardPool breach, as he offered to sell incomplete data from 330,000 debit cards in an auction that started at $5,000 and a buy-now price of $15,000, just a day after the auction regarding the gift cards.

In the information available could be found billing addresses, card numbers, expiration dates, and the issuing bank’s name, but the database did not contain the cardholder name or the CVV code required for card-not-present (CNP) transactions.

The researchers concluded that these payment cards came from the breach that took place at between February 4, 2019, and August 4, 2019.

Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials.


The hacker that is selling the two databases is a long-time member of the underground community, being active on the dark web forums since 2010, and previously offering large collections of stolen payment card data, databases, and personally identifiable information (PII) of U.S. residents.

Deep Web vs. Dark Web: What is Each and How Do They Work

Android Malware: Your Mobile Device Isn’t Safe from Hackers

Security Alert: New and Cheap Stampado Ransomware for Sale on the Dark Web

Leave a Reply

Your email address will not be published. Required fields are marked *