7M Records From Saudi E‑commerce Leak

A food-ordering app in Saudi Arabia now appears in breach reports for a very different reason: an alleged dump of about 7 million records is being advertised for sale, with identity numbers, email addresses, phone numbers, hashed passwords, and login data described as part of the package. (brinztech.com) Shukah is not a tiny side project. Its own site says it is an electronic platform that gathers restaurants and shops in one place so users can browse menus, prices, and offers and place orders through the app. (shukah.com) That matters because food-delivery accounts collect the kind of details people reuse everywhere else. An email address plus a phone number plus a password hash is often enough to fuel password-cracking, fake delivery messages, and account-takeover attempts on other services. (cloudsek.com) The most sensitive field in the reported leak is the identity number. In Saudi Arabia, that is closer to losing a wallet with your government card inside than losing a throwaway shopping login, because it can be used to make phishing messages look real and to tie a victim to other records. (dlapiperdataprotection.com) The phrase “hashed password” sounds safer than it is. A hash is a scrambled version of a password, but weak or reused passwords can still be guessed by running huge lists of common passwords until the scramble matches. (cloudsek.com) Saudi Arabia’s Personal Data Protection Law requires controllers to notify the Saudi Data and Artificial Intelligence Authority within 72 hours of becoming aware of a reportable breach, and affected people must be told without undue delay when the incident could seriously harm their data or privacy. (dlapiperdataprotection.com) The law has real teeth on paper. DLA Piper’s Saudi summary says disclosure or publication of sensitive data with intent to harm can bring up to two years in prison and fines up to 3 million Saudi riyals, while other violations can still trigger warnings or fines up to 5 million Saudi riyals. (dlapiperdataprotection.com) This leak also fits a pattern. In the past year, breach-monitoring firms have flagged other Saudi online commerce platforms, including Yamm and Karzoun, as having customer or admin data offered on underground forums, which suggests attackers see regional marketplace databases as easy-to-resell inventory. (brinztech.com 1) (brinztech.com 2) The reason these databases sell well is simple: a shopping account is not just a shopping account. It can contain names, addresses, order history, merchant details, delivery patterns, and contact lists that let criminals build convincing messages that look like routine order updates or refund notices. (cyfirma.com) If you ever used the service, the first move is not to wait for a public statement. Change that password anywhere else you reused it, turn on two-factor authentication where you can, and treat any text message or call that mentions a recent order, refund, or identity number as suspicious until it comes through a verified channel. (dlapiperdataprotection.com)