Puma investigates claims of leaking more than 230k customers’ data (updated)
Paulina Okunytė reports:
Private data allegedly belonging to more than 230,000 Puma customers in Chile has been found on a hacker forum.
A threat actor has listed an 84MB-strong dataset for sale that allegedly belongs to the multinational sportswear manufacturer.
The cybercriminal or criminals behind the dataset listing claim that it is from Puma’s Chilean e-commerce website, although at the time of writing Cybernews was unable to independently verify this.
Read more at CyberNews.
The individual who uploaded the data to the popular hacking forum has a good reputation on the forum. They describe the data fields as
“Customer Email”, Telephone, “Customer Name”, Documento, “Purchase Date”, “Bill-to Name”, “Ship-to Name”, “Grand Total (Base)”, “Grand Total (Purchased)”, “Billing Address”, “Shipping Address”, Subtotal, “Shipping and Handling”, “Medio de pago”, “Oms Number”, “Coupon Code”, “Cart Rule”, “Estado del Pago”, Ciudad, Region
They also describe the data set as being in .csv format, 84mb in size, and containing information on 237,013 users. The date of the set allegedly obtained from cl.puma.com is reportedly January 21, 2023.
In response to an inquiry was sent to Puma’s press communications office this morning, a spokesperson responded:
PUMA is currently investigating a data leak at its Chilean ecommerce site to establish what data has been leaked and how this could have occurred.
DataBreaches has also sent an inquiry to the forum user who posted the data to see if they will shed some additional light on the claimed incident. This post will be updated when more information becomes available.
The forum user who listed the data informs DataBreaches that some Puma employees “got caught by a virus, I do not know the exact situation since I buy logs from my suppliers. then I get what I need.”
The forum user also provided this site with a set of login credentials for a Puma administrative login to an e-commerce panel. DataBreaches does not access sites without consent so did not try the password, but what DataBreaches did do was enter the username and click “forgot password.” That screen then asked for my email address to send a password reset, which indicates that the username/login I was given was a working username at least.