vpnMentor, a cybersecurity company, has revealed that an online marketplace for discounted online accounts, license keys, and malware has been the subject of a data breach, potentially exposing hundreds of thousands of sensitive records. Security researcher Jeremiah Fowler discovered 600,000 “customer support attachments” relating to the Z2U website, including photographs of individuals holding passports, credit cards, and other identification documents.
The non-password-protected database also contained payment transactions, including IBAN numbers, user account logins, emails, and passwords, as well as order confirmations with buyers’ names, emails, and purchase information. In addition, Fowler was able to access screenshots of the customer support dashboard, communications, purchase histories, account credits, and refund requests.
According to Fowler, the marketplace is located in China, and the server hosting the database was also based in the country. Z2U boasts a 4.5 Trustpilot rating and claims to be a “world-leading digital marketplace trading platform” that specializes in buying and selling in-game items for gamers.
Fowler’s study, however, appears to reveal a wide range of dubious trading activity outside the gaming world, including the sale of social media, streaming, and Amazon accounts.
Fowler warns that sharing or selling accounts raises many ethical and security concerns. Some users on Z2U were discovered selling HBO MAX and Netflix Premium accounts for as little as $1 and three-month Disney+ subscriptions for $5.
It is against the law in the UK for users to share their passwords for services such as Netflix, Amazon Prime Video, and Disney+. Windows license keys were also found to be sold at a fraction of their true cost, and sellers were offering viruses, malware, and other malicious software.
Fowler sent a note to the site in Chinese, and access to the database was closed shortly after that. The researcher stated that his findings did not imply any wrongdoing on the part of Z2U or their customers and were meant to highlight the risks associated with real-world dangers. Infosecurity has contacted Z2U for comment, and the story will be updated if there is a response.
