Share this article on:
UPDATED: Adreno confirms incident impacting more than 500,000 customers of the popular Australian dive store.
A threat actor has claimed to have successfully hacked a popular online dive store and has offered the data of more than 500,000 of its customers for sale on a popular hacking forum.
The hacker – who goes by the name of “worry” online – claimed to have hacked Adreno in July 2024 and boasted of the hack on 7 August last week.
“Dumped in July 2024 by me, total users 536k,” worry said.
“Contains full names, emails, phone, address, dob, etc.”
The leaked data includes a large number of internal sales data for each customer, which appears to have come from a Shopify database. The data includes fields for customer ID, opt-in details for SMSes, loyalty reward programs, credit details, and even customers’ other interests.
The data also includes names, addresses, emails, and phone numbers.
The post also includes a link to a selection of sample data hosted on a paste site, and while many of the fields do appear to be empty in the eight lines of data, personal addresses and emails are included.
The hacker claims to have 536,519 lines of data.
Adreno was established as a Sydney-based retail outlet in 2015, but it now has stores across the country, as well as a thriving online business. The company claims its Gold Coast store is the world’s largest dive store.
Adreno is aware of the incident.
"We are in contact with the ASD and the National Cyber Watch Office agent that notified us of the breach," an Adreno spokesperson told Cyber Daily.
"We are currently working with the platform from which we believe the data was exfiltrated to help with the investigation and closure of the vector. Furthermore, we've already actioned revocation of admin access rights to customer data on said platform, password resets on all accounts and the rekeying and restriction of API access for the two third-party service providers that utilise it."
The company also said it was in the process of contacting stakeholders.
"Staff and service providers have been informed and we are working with the OAIC guidelines as to best meet our obligations under the Notifiable Data Breach scheme and our imminent communication with affected customers," Adreno said.
This is the second Australian victim claimed by the threat actor in the last week. Furniture store Early Settler confirmed it was the victim of a data breach last week after worry posted the details of more than 1 million customers on 5 August.
Worry was first observed on 28 July 2024, and since then has claimed eight victims from Australia, Brazil, Egypt, India, Pakistan, Saudi Arabia, and Thailand.
UPDATED: 13/08/24 to add Adreno commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.