An actor going by the handle BitBanish has claimed that he has put the subscriber data of streaming service Vivamax up for sale on an international hacking forum last Friday, July 26.
Vivamax, a subsidiary of Viva Communications, is an extremely popular video-on-demand Internet streaming service also known for risque content in its video catalogue. Launched in early 2021, it boasts of an international audience and has grown to 11 million subscribers in just three years.
Based on the hacking forum post by BitBanish, the data being sold consists of over 2.08 gigabytes of JSON (JavaScript Object Notation) formatted content with over 6.8 million lines of member/subscriber data, with an additional 1 gigabyte of subscriber transaction data that has multiple transaction rows per line.
These include full names, phone numbers, email addresses, countries of registration, account creation dates, subscription IDs, subscription start and end time, subscription types (Google Pay, Huawei Pay, credit card, Apple Pay, PayMaya, Gcash, etc) for the subscriber data.
BitBanish claims that the data was obtained via API scraping authenticated with administrator privileges.
Screenshots of samples obtained by Deep Web Konek, a cybersecurity advocacy organization that was one of the first groups to make the public aware of the breach, show that the subscriber data may be comprised of multiple lines per subscriber entry.
If the sample screenshot format matches that of the main JSON file data set, it could mean that there is a significantly lower number of victims for the portion of the subscriber database that was scraped, possibly in the hundreds of thousands instead of millions.
If, however, the sample data JSON was reformatted to multiple lines to make it easier for humans to read and that there was actually one entry per line in the main dataset, this means there really might be over 6.8 million victims in the breach.
Media statement – Data breach incident affecting Vivamax user data#Vivamax pic.twitter.com/NgHi0MIKNV
— Vivamax (@VivamaxPH) July 27, 2024
Vivamax released a statement on Saturday, July 27, that they would like to assure the public that they were taking the matter very seriously and that they are exhausting all means to investigate and verify the breach and its possible scope.
The company also stated that they had implemented appropriate protocols to secure their system and further protect data against unauthorized access while conducting their investigation.
In the wake of this, potential victims are advised to take the following precautions:
- Change passwords, especially on other platforms if they used passwords similar to the Vivamax account. Use strong, unique passwords. Users should never re-use passwords on different platforms and services as this puts them at risk of credential stuffing attacks.
- Consider using a password manager.
- Enable 2-factor authentication on all accounts that offer it.
- Monitor financial accounts like bank and credit statements for unauthorized transactions.
- Be very vigilant against social engineering, phishing, scams and other attacks via e-mail, phone calls, SMS, or messaging services.
- Beware of callers or messages from unknown numbers or e-mail addresses.
- Beware of legitimate-looking or sounding e-mails (and website links) or calls pretending to be from entities, especially if they use your data (name, email, phone number) as confirmation of your identity, to pretend that they are a service you are registered with. Verify that the party contacting you is legitimate.
- Do not click suspicious links in emails, SMS, or messenger apps
- Be wary of email attachments.
- Be aware that malicious people who get hold of your data may attempt to use your phone numbers and e-mail addresses to register accounts on different platforms/services.
- Resist blackmail and extortion attempts.
- Educate friends and family members of the dangers following this potential data breach, as malicious actors may use the information to perform related attacks on them.
