Johnson Fitness and Wellness hit by DESORDEN Group

In what has become a familiar event, DESORDEN Group announced yet another attack on a multinational corporation. This time, their target was Johnson Fitness and Wellness, a subsidiary of Johnson Health Tech. Co., Ltd. Johnson Health Tech manufactures exercise training equipment and is listed on the Taiwan stock exchange; Johnson Fitness is headquartered in the U.S. and is an exercise equipment retailer. In their post on a popular hacking forum, DESORDEN stated that the breach involved 71 GB of data and files affecting Johnson Fitness’s suppliers, dealers, customers, and employees. Files concerning their internal operations and financial records were also acquired. Most of the sample files did not contain personal information. Other sample data shared exclusively with DataBreaches included customers’ personal information such as name, address, phone number, and date of birth. Of note, a leaked “sysusers” file included employee names, email addresses,  usernames, and passwords in plaintext.  DESORDEN’s spokesperson commented that they were surprised that a big company left their passwords in plaintext, “which is really rare in our attacks against big companies.” “This Johnson hack took quite a lot of time too,” they added, explaining, “we breached into their [Johnson Health Tech’s] mainframe server, but they had AVs and firewall that prevent outgoing connections — only allowed IPs of those within the network. So we have to find the other servers on the same network, breach in and pray hard that the firewall config is allowed. At the end of the day, we used another breached server to act as a bridge to the mainframe and stole the data. So it took quite a bit of time.” DESORDEN’s spokesperson could not recall exactly when they first accessed Johnson but estimated that they were in there for months. They still have access, they claim. According to their statement to DataBreaches, although Johnson read their emails, downloaded the data samples, and watched the video, they did not reply to any of their communications. DESORDEN explained that their initial communications to a victim do not specify a specific demand amount. “We will wait for victims to respond, then we will set the sum based on their size,” they tell DataBreaches. So because Johnson did not respond to DESORDEN, they do not know how much DESORDEN might be demanding. The total lack of response suggests that Johnson has no intention of paying any ransom demand. DESORDEN’s spokesperson told DataBreaches that they are neither surprised nor particularly upset by that because they believe they will be able to quickly sell the corporate information and trade secrets they were able to exfiltrate. DataBreaches sent an email inquiry to Johnson Fitness about their response to the claimed attack. No reply has been received as of publication time.  

Revenge telecom hacking by DESORDEN Group; third attack threatened

DESORDEN Group has added a new transparency demand to their attacks against Malaysian entities: victims must disclose the breach publicly if they have not paid the attackers. If the victim doesn’t disclose and Malaysian media does not report the incident, Malaysia should expect more breaches. The added demands arose after DESORDEN claimed they spent hours answering questions from a Malaysian journalist about the redONE telecom breach. The journalist then supposedly told them that they needed to seek permission from a higher authority before their paper could publish a data breach of a telecom in Malaysia.  DataBreaches does not know whether a journalist or paper needs any such authorization or if there was some misunderstanding of what was said. Still, it does appear that the hack of redONE was not reported by any Malaysian news outlet. If redONE has not disclosed and does not disclose, affected customers and employees may not know that their data has been stolen, leaked, and possibly sold. redONE never responded to inquiries DataBreaches sent about the incident. A Second Telecom Hacked In response to the lack of transparency and coverage, DESORDEN hacked a second Malaysian telecom. “We take responsibilities for the hack and data breach of REDTONE DIGITAL BHD NETWORK ( on 1st October 2022,” their latest post on a hacking forum begins. “This attack is in response to the cover-up of the first telecommunication company redONE Network Sdn Bhd ( which we breached on 19th September 2022….” DESORDEN’s post states that REDTONE DIGITAL BHD NETWORK is the previous owner of redONE. As they have done previously, DESORDEN provided samples of data they claim to have exfiltrated. They do not indicate how many files, in total, they have. Nor do they indicate whether they intend to sell or leak the data. Their message is clear, though: If Malaysian journalists continue to cover up the data breaches, Malaysians can expect a 3rd telecom company attack. As of this morning, DataBreaches cannot find any media coverage in Malaysia of either the redONE or redTONE breaches. DataBreaches submitted an inquiry to redTONE, but no reply was immediately received. This post will be updated if a response is received.

Thailand’s THE ICON GROUP hacked by DESORDEN

DESORDEN Group’s attacks on ASEAN businesses continue. This week, they disclosed a hack of The Icon Group in Thailand.   In a statement on a popular hacking forum, DESORDEN writes: This data breach involved 161 GB of databases and files, including personal information of 264,128 customers, with their full name, ID card number, bank account number, address, phone, email, etc, along with KYC images of their customers such as ID card copy, bank book copy and KYC docs. In addition, we have also stolen their company corporate and financial data. As is their usual practice, DESORDEN provided samples from various .csv files, but they also leaked some KYC image files. Know Your Client (KYC) image files showed individuals’ faces and photocopies of identity information about the individual. Redacted by When asked, DESORDEN informed DataBreaches that they did not have KYC images for all 264,000 customers but estimated they had about 70,000 such sets.  According to them, The Icon Group did not respond to any of their communications. DataBreaches sent an email inquiry to The Icon Group, asking for their comments on DESORDEN’s claims and whether they were notifying any regulator or customers whose personal information had been accessed or acquired. No reply has been received. DESORDEN claims that they have had access to The Icon Group since approximately July and still have access to it. If they still have access, customers, employees, and regulators may want an explanation from the firm as to what they did when they first discovered a breach.

Malaysian Telecom RedOne hit by DESORDEN

On September 19, DESORDEN Group claims to have hit redONE Network Sdn Bhd. redONE is a telecom in Malaysia with more than 1.2 million subscribers. redONE also offers financial services via bank partnership (its redCARD program) and insurance services via insurer partnership (its redCARE program). According to statements made to DataBreaches by DESORDEN, when redONE didn’t respond to DESORDEN’s demands, DESORDEN launched a second attack on or about September 21, hitting their redCARD and redCARE programs. As DESORDEN wrote on a popular hacking forum: This data breach involved both redONE databases and source coding. Personal data include full name, NRIC (national identification number), address, phone, email, etc. As is their usual pattern, DESORDEN provided samples of data. In this case, there were samples from redONE, redCARD, and redCARE. All three samples included personal information on customers, and all three samples had fields for NRIC. DataBreaches ran some of the sample data through redONE’s site and confirmed that individuals whose NRIC appeared in the sample data from redONE do have or did have accounts with redONE. The ID checker page has since been taken offline by redONE, but an archived copy of the form as it appeared last year appears below. To verify that the data in DESORDEN’s sample were real, DataBreaches picked some random entries in the redONE sample, entered the NRIC in the “Identification No” field, and entered the captcha.  For each NRIC tested, the redONE checker returned information on the customer’s Account ID, when the account was activated and when it terminated. Although DESORDEN has been just leaking some data recently rather than trying to sell it, they claimed that if they did not hear from redOne within 48 hours of their last email, the data will be posted for sale publicly. It has been about 24 hours or so since their last email. DataBreaches sent email inquiries to redONE yesterday to ask them if they would confirm or deny DESORDEN’S claims about the breach but has received no reply.

DESORDEN leaks more data from Indonesia; “Indo data is officially worthless”

The DESORDEN group recently announced that due to the flood of personal information on Indonesians, they were giving up on attacking Indonesian entities. But they also noted that they already had some attacks in progress that they would still be leaking. Today, they announced one of those attacks on a popular hacking-related forum where data are shared, traded, or sold: We take responsibilities for the hack and data breach of PT CARE TECHNOLOGIES (, an insurance software and IT vendor for all 60+ major insurance and healthcare companies in Indonesia, including clients such as AIG, Allianz, MNC, BRI Insurance, etc. In total, we have stolen 2.2 GB of databases from their network. DESORDEN then provided links to the full data leak, including .csv files with client data and employee data. According to DESORDEN, they acquired the logins of the clients to PT Care Technologies. More significantly, perhaps, they claim that the clients use the same version of the software that they obtained from PT Care: Their clients deploy the same software version developed by PT Care Technologies as the one we breached, so for those who want to explore further, can try exploring the vulnerabilities of their clients. If need more information, pm @post to ask for the vulnerabilities In a subsequent chat with DataBreaches. DESORDEN indicated that they had not attempted to access any of the clients but did not need logins for the clients. “Just needed to use the same vulnerability to access the clients self hosted version,” they explained. But they also indicated that the vulnerability would likely be fixed within a few days as they had already informed the company about it. The fact that the firm had taken its servers down suggests that they working on addressing the vulnerability and informing clients, they said. While the leaked data will be of some concern to PT Care Technologies and its clients, it was pretty much just a wasted effort for DESORDEN. “No one wants to buy Indonesia data,” they tell DataBreaches. “People are selling hundreds of millions for few hundred bucks — the supply of Indonesia data has already dumped the value of its data.” “Indo data is officially worthless. In the past, we could still sell 0.005 USD per record. Nowadays, 0.0002 USD per record and no one wants to buy.” Will the market flood make other Indonesian firms less attractive as targets for other adversaries? Time will tell, but in light of all the leaks and data dumps we have already seen, Indonesian entities might take advantage of any lull and seriously address data protection, and now, not in two years.    

Customer data from hundreds of Indonesian and Malaysian restaurants hacked by DESORDEN

Hackers known as DESORDEN have hit another big Indonesian business. This time, their victim was BOGA Group, which operates more than 200 restaurants and outlets across Indonesia and Malaysia under brand names including Bakerzin, Pepper Lunch, Paradise Dynasty, Paradise Inn, Shaburi, Kintan Buffet, Onokabe, Putu Made, Kimukatsu, Yakiniku Like, Ocean 8, Sushi Kaiyo, and Boga Kitchen. Boga Group also operates Boga Catering, a premium catering service. More than 400,000 customer records and 16,000 employee records were acquired by the hackers.     As is their usual style, DESORDEN provided proof in the form of samples drawn from the corporation’s .csv files.  They also created a recording showing directories, opened files, documents and spreadsheets. The recording includes a message to their target: The highlighted portion of the recording reads: “To prove that DESORDEN has breached your servers, we have deleted the databases from your server after downloading them. In total, we have stolen over 31 GB of data and files from your network of servers. Check the facts with your IT department. These data include 409,168 information of your customers, with their name, phone, and email as well as 16,476 employees data, financial, and corporate data.” The numbers correspond to the rows displayed in the .csv files shown in the recording. When asked about the deletion of databases mentioned in their recording, DESORDEN replied, “They have backups. Delete is only for them to know we breached.” DataBreaches sent an email inquiry to BOGA Group about the attack. No reply has been received. In discussing this attack with DESORDEN in an online chat, DataBreaches pointed them to an article from The Jakarta Post about all the leaks and breaches appearing online.  DESORDEN commented that the report did make a point. They say it is easy to go after smaller companies in Indonesia because most small companies have little or no security (an observation that applies to small companies worldwide). But DESORDEN also notes that these countries often have weak or no regulations imposing security standards or requiring notification in the event of breaches. “Countries like India, Malaysia, Indonesia, Thailand. We do not really expect responses from them. Informing them is only for courtesy,” DESORDEN told DataBreaches. “Selling their data is also as profitable. While it doesn’t fetch as much as victim paying, but a single job data can profit as much as $20,000 USD in sales of data easily.” DESORDEN has also recently been telling DataBreaches to expect more breaches in South Korea, Taiwan, Vietnam, and Japan and continuing interest in data from Thailand.  The current market is looking for personal information from these countries, DESORDEN states, from “mostly Chinese buyers.”

TH: Major Cineplex and Major Development PCL hit by DESORDEN

DESORDEN has hit another big business in Thailand. This time it is the largest cinema chain and its subsidiary property development company. As DESORDEN informs DataBreaches, the Major Development PCL was breached during the first week of August and contacted by DESORDEN on August 17. “The management refused to respond and we attacked their main cineplex business (Major Cineplex) on 19th August and informed them on 28th August 2022.” Both breaches reportedly involved the acquisition of corporate, financial, employee, and customer data as well as personal information of buyers of properties. As is their usual practice, they assert that they did not deploy any encryption and did not delete any files or backups during the attack. According to DESORDEN, they acquired hundreds of thousands of Major Cineplex’s MPass members.  DataBreaches is as yet unable to verify that estimate. As of publication, they have not yet posted anything on the popular hacking forum where they generally announce any leaks or sales offerings. As proof of acquisition of customer and property buyer data, DESORDEN provided DataBreaches with two Excel files, each with 1,000 records. One was for MPass members from Cineplex, and the other was for the Major Development CSProfile database. The Mpass member data included membership ID number, first and last name, mobile phone number, email address, username, and birthdate. DataBreaches was able to validate the data by using MPass’s website where members can enter their email address to access their membership information. The results of a sample of searches produced corresponding member data. In each case, the records were partially redacted as they appeared on MPass’s site, but they matched the unredacted fields in the spreadsheet. DataBreaches has provided additional redaction, below: The second data set was from the Major Development CSProfile data set. Those records included fields that include first and last name, nickname, mobile phone number, gender, email address, birthdate, citizen ID, and member password, with some other fields. DataBreaches does not know whether these are all property buyers or just leads to potential buyers, or both. DataBreaches made no attempt to verify the data in this second spreadsheet at this time. DataBreaches reached out to both Major Development PCL by email and Multiplex Cinema by contact form yesterday to inquire about DESORDEN’s claims and their response to any hack. No replies have been received and nothing appears posted on their websites at this time.

Major Indonesia tollroad operator hacked by DESORDEN (Updated)

On August 23, DESORDEN alerted DataBreaches to another one of their attacks. This one involved the PT JASAMARGA TOLLROAD OPERATOR, Indonesia’s largest major tollway and highway operator. According to DESORDEN’s statement: This data breach involved 252 GB of data, coding and documents, across 5 of their servers. The data breach involves their users, customers, employees, corporate and financial data. As they always do, they provided proof of claims. In this case, the proof pack consisted of some individual files and a screencap showing properties of a drive they accessed. The claims and links to proof were also posted on a popular hacking forum. Since then, the Jasamarga Tollroad Operator (JMTO) has responded to the claims. reports their statement that the data acquired is only internal data and company-related information — but not customer data in the JMTO app [SEE UPDATE AT BOTTOM OF THIS STORY]: “It has been confirmed that it is not related to customer data in the JMTO app,” said JMTO corporate communication community Lisye Octaviana in a statement on Thursday, August 25, 2022. Lisye said that PT JMTO has now disabled the servers affected by the attack. Lisye added that the company is in the process of recovering the data and moving the system to a more secure server, and closing the security vulnerabilities. “We are cooperating with competent people in conducting cyber security assessments in the system at PT JMTO,” Lisye said. DataBreaches was unable to connect to JMTO’s website today. After earlier attempts timed out, later attempts returned an error message that the name had not resolved. As one result, DataBreaches was unable to to try to send them any updated inquiries.  This site was able to reach DESORDEN, however, to ask them to respond to JMTO’s claims that no customer data from the JMTO app had been compromised. DESORDEN informs DataBreaches that they are aware of JMTO’s statement and are checking all the 200+ GB of data to determine if JMTO is correct or not about customer data in the app. They anticipate it will take a few days to check through all the data. In response to other questions from this site, DESORDEN confirmed that no ransomware had been involved in the incident. Of special note, they wanted JMTO to know that there were still open vulnerabilities for JMTO to be aware of, even though they say that JMTO has already addressed two vulnerabilities. DESORDEN seemed well aware of what steps JMTO has taken and is taking. Last check, they shut down public access to most servers in JMTO network, but there are other networks like There are still open vulnerabilities and if wanted, we can still access other parts of their network,” DESORDEN told DataBreaches. “We have been inside their network since early August. They have a huge network of servers. Vulns are something they really need to look at,” they added. For now, then, it’s unclear whether customer data from the JMTO app was involved — JMTO says it wasn’t, and DESORDEN is attempting to confirm or refute that but it will take some time. Eventually, though, after they sort through and organize all the data, DESORDEN will be putting it up for sale. Update and Correction of September 13: In light of Jasamarga’s claims that no customer data was involved,  DESORDEN did review the data they had acquired. They inform DataBreaches that there was no customer data — only corporate information and employee information.  

Desorden is back, declares an attack on MISTINE Better Way Thailand Company

It’s been a while since DataBreaches has seen any announcements from Desorden, but the group contacted DataBreaches over the weekend to claim responsibility for a hack and data breach of Better Way Thailand Company Limited, a personal care products and cosmetics distributor. Mistine is one of 200 companies under Saha Group, Thailand’s leading consumer products publicly listed conglomerate. Better Way Thailand Company Limited started with Mistine products. In a statement to DataBreaches, Desorden wrote: This data breach involved 180 GB of data and 60 GB of files, affecting more than 20 million personal data information of their customers and sales representative, which represents almost 1/3 of the entire Thailand population. In total, DESORDEN breached into 20 of their servers, across brands of Flormar, Fairs, Friday, Mistine, MYSS, Yupin and NingNong. The data alone include customer sales representatives, employees, suppliers, export, ecommerce, corporate, HR and financial records. Personal data alone, we have stolen over 20 million personal identifiable records, that include ID card no, birthdate, name, address ad contact detail. DataBreaches notes that the number of identifiable records with personal information generally does not equate to the number of unique persons who have had their personal information breached as there may be duplication across files or databases, but some of the employee and representative files DataBreaches saw each contained about 100,000 records. Desorden informed DataBreaches that they received no reply from Mistine to their contacts or demands since July 8. As a result, they claim, they are preparing to leak and sell the data. As has been their method, Desorden provided DataBreaches with samples from the claimed breach, including copies of what they provided to Mistine management. An mp4 file makes clear that they had access to directories and files and that those files contained personal information on employees and representatives. In a message to Mistine included in the mp4, Desorden tells them that they have deleted all the databases from Mistine’s servers after downloading copies. DataBreaches does not know if Mistine has usable backups, but if they don’t, the loss of the files would be likely to impact functioning. Although Desorden would not get specific about how they gained access to the servers, they stated that had exploited a few vulnerabilities that had not been patched yet. DataBreaches attempted to contact the Data Protection Officer for Mistine via email sent to the address listed on Mistine’s site in their privacy policy. The email bounced back with error 554 5.7.1: “Recipient address rejected: Access denied.” DataBreaches re-sent the inquiry to seven email addresses found in the management .csv file provided by Desorden to this site. The seven addressess included the firm’s CEO. Those emails did not bounce back but no reply has been received. DataBreaches did not attempt to contact any of the employees or representatives in the sample data at this time. In the past, Desorden’s claims to DataBreaches to have hacked entities have all proven to be true, although sometimes the claims of number affected vary from the entities’ claimed number. In the past, Desorden had posted some of the data on Raid Forums. With Raid Forums seized, they appear to have created an account on another popular hacking-related forum that has both onion and clearnet versions. Note: Although the headline suggests Desorden was gone for a while, they claim that they have remained active the whole time but that most jobs just take months.

Desorden Group expands attack on Central Group after deal to pay them allegedly fell through

Yesterday, this site reported that Desorden Group hit Central Restaurants Group (CRG) in Thailand. A Desorden spokesperson had told this site that there would be more details to be revealed, and now there are. It appears that Centara Hotel Group is part of the Central Group that had been breached.  Centara has now issued a statement on their site confirming that there has been a breach and what they did after first becoming aware on October 14 of a problem.  CRG has also issued a statement (in Thai) on its site that attempts to reassure people that no credit card or financial information was stolen. Desorden Group responded to some of Centara’s statements in an email to “In the announcement,” Desorden writes, “they managed (sic) that they have engaged a reputable consultant to deploy investigation immediately after we notified them. We notified them. The management tried to recover their data and started negotiation with us on 16th October 2021. On 17th Oct, they managed to recover part of the system and asked for proof that we breached them. The same day, within 10 minutes, we breached the exact same network of 5 servers and compromise it to show them that we have immediate access to their servers again. Reputable consultant, we will leave it for the public to think about it.” Desorden also disputes Centara’s claim that the breach impacted “a limited section of our network, with the general personal data of some of our customers.” “We basically brought down their entire backend, which consists of 5 servers,” Desorden responds. “In total, over 400 GB of files and data was stolen over a course of 10 days.” Desorden claims that the exfiltrated data includes millions of customers from many countries: “Basically, anyone who have ever stayed at any of their 70 luxury hotels between 2003 to 2021 has been compromised and we mean luxury first class hotel guests,” Desorden writes, adding: “In the chat, we have sent them proof of the data by exporting any dataset which they requested and they have verified the hotel guest leaks. Also, 400 GB of data included all financial data, corporate data, employee data, etc. Basically, we wiped their network of 5 servers in the heist.” According to Desorden, hotel guest data included name, passport number, id number, phone, email, (some had address of residence), check-in/departure time, etc. “Many millions of them, even those who booked in advance until December 2021 are affected, “Desorden claims. Desorden informed that they have gone public with these details and additional attacks on Central Group because after reaching a deal to reportedly pay Desorden $900,000.00 USD on October 26, Central Group management broke the agreement to pay. In addition to attacking Centara, Desorden then also attacked other (additional) Central Group companies and claims that they will be publishing the hotel data in a few days. A selection of files were provided to this site as proof of claims. reached out to both Central Restaurants Group and Centara Hotel to request a response to Desorden’s claims, but no responses have been received, possibly due to the late hour there. This post will be updated if a reply is received.