Z2U data breach finds users’ selling illicit accounts online; Over half a million records expose buyer photos, passports and financial info

Cybersecurity researchers at vpnMentor have stumbled upon a highly sensitive non-password-protected database containing over 600,000 records, including images of users holding their credit cards or other identifying documents.

According to a report published April 4, the unsecured database belongs to Z2U, a well-known online gaming marketplace where users can trade and sell In-Game Items, games currency and gaming accounts.

Access to the publicly open database was closed less than a week after researchers disclosed the breach to the company.

Researcher finds more than what he bargained for

Seasoned cybersecurity researcher Jeremiah Fowler says that documents he analyzed indicate customers “are selling much more than game-related accounts and services” on the platform.

While examining the database, Fowler found seller ads for social media accounts, streaming services, operating system and antivirus software licenses, and even records of sale for malicious software.

“2U appears to be a broker between individuals buying and selling everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+, and even Windows license keys at a fraction of the real price,” Fowler explained. “What was more disturbing was seeing sellers offering viruses, malware or other malicious applications.”

The researcher also provided a full breakdown of the database, highlighting the extremely sensitive nature and variety of the exposed data, which includes:

• Images of credit cards, customers and government-issued documents, including passports
• Financial information, including records showing bank transaction payments with fully visible IBAN numbers
• Login information with users’ email addresses and passwords alongside order confirmation with buyer’s names, emails and purchase details
• Software license keys for Microsoft, antivirus solutions and Adobe Photoshop
• Screenshots of customer support dashboards, communications, purchase history, account credits and refund requests
• Records showing the sale of streaming service accounts including from HBO MAX, Netflix and Disney+
• Records showing the sales of social media accounts including on Facebook, Twitter and Instagram
• Login credentials for gaming platforms
• Sales of Amazon Prime accounts alongside Amazon buyer and seller accounts

Were users selling hacked or personal access to streaming and gaming accounts on the platform?

The researcher pointed out that Z2U users were selling potentially compromised accounts worldwide. Accounts for streaming services such as HBO MAX and Netflix Premium went for as little as $1 and Disney+ three-month subscriptions for just $5.

“Although Z2U claims to not sell stolen, hacked, or cracked accounts it is unclear what the verification process is other than buyers requesting a refund when the account is restricted, suspended, or no longer works,” Fowler explained.

“I saw a large number of refund requests for frozen accounts. Their customers were worldwide based on the identification documents contained in the database.”

Fowler also noted that login credentials for some aged Call of Duty, War Spear, Minecraft, League of Legends and Fortnite gaming accounts sold for more than $600.

“I saw online streaming platform access keys being sold that would allow the user to access a large selection of games,” he added. “It should be noted that many of these offerings came with a VPN (virtual private network) or the buyers were offered to purchase the VPN separately.”

Customers’ privacy and financial security at risk

While the report does not highlight any misconduct by Z2U per se, the exposed database raises major security issues for customers who provided sensitive data including images of them holding IDs and other documents, or financial information.

Even if there is currently no evidence of cybercriminals having access to the records, the real-world consequences for exposed users are limitless, allowing criminals to open fraudulent accounts and purchase products using the images as a form of validation.

“In a limited sampling of records I saw a large number of individuals holding their identity documents and credit cards with their faces clearly visible,” Fowler noted. “These images are required by Z2U’s verification process and should have never been publicly exposed. This information could put users at significant risk of identity theft and fraudulent charges.”

In the digital world of today, innocuous acts such as online shopping put identity at risk.

Bitdefender identity protection solutions can help you navigate these threats to put your privacy and financial security at risk with instant alerts whenever your personal information is at risk.

From data breach and data leak monitoring to complete identity theft restoration services (available in the US only), our solutions can help you stay in the know and immediately react when your personal info is stolen or misused.

Digital Identity Protection and Identity Theft Protection plans can be found here.