Halara probes breach after hacker leaks data for 950,000 people



It should be noted that the forum post uses an incorrect logo for Halara and instead uses one for a cannabis company that was not breached.

BleepingComputer has reviewed the leaked data, and while Sanggiero says it contains 1 million lines of data, the text file only contains 941,910 records.

While BleepingComputer has not been able to confirm if all of the data is accurate, we contacted multiple people listed in the file and have confirmed that they are all Halara customers and that their listed phone numbers, names, and addresses are accurate.

In a conversation with BleepingComputer, Sanggiero says that they obtained the data by exploiting a bug in an API on Halara's website, which they say is still unfixed.

Sanggiero said they did not contact Halara about the stolen data and decided to release it for free as it would not have a lot of value if trying to sell it.

Halara customers should be on the lookout for targeted smishing attacks (SMS phishing) that attempt to steal other information, such as email addresses and passwords.

This information can be used for further attacks or sold to other threat actors who use it for fraud or other malicious behavior.

BleepingComputer is aware of numerous threat actors selling stolen accounts for online retailers, such as Saks 5th Avenue, Express, and Ulta Beauty, which are used to make fraudulent purchases.

Source: BleepingComputer