Hackers have leaked sensitive information about nearly a million people who claimed to be customers of Hong Kong-based sportswear company Halara.
A hacker under the alias Sanggiero posted a new thread on a dark net forum and in a Telegram channel detailing the hack.
“In January 2024, more than 1 million rows of data from the retail company Halara were posted on a popular hacking forum. The data included 1 million unique address ID, first name, last name, phone numbers, country, home address, zip code, state, city, iso,” the message reads.
Vulnerable API
Analysis of the database posted there seemed to confirm that at least some of the information posted there is accurate. For example, while the hacker claims to have information on a million people, the database contains 941,910 records. Additionally, the hacker used an incorrect logo for Halara, posting a logo belonging to an unrelated cannabis company.
BleepingComputer contacted some of the people whose information was placed in the database and confirmed that the data is correct. The publication also confirmed that the people were indeed Halara customers.
This means whoever gets their hands on the information could use it to create credible-looking phishing emails or commit identity theft.
The company is now said to be investigating the matter.
BleepingComputer also managed to contact Sanggiero, who claims to have stolen the data via a vulnerability in an API on the Halara website. The database is not of much value to them, so they decided to share it online for free. Apparently there has been no contact with the victim.
Halara is a sportswear company that sells so-called ‘athleisure’ clothing. It was founded in 2020 and gained immense popularity through short videos shared on TikTok.