Saudi e‑commerce breach exposed 7M records

A Saudi online marketplace called Shukah.com was reportedly exposed in a breach affecting about 7 million records, with email addresses, phone numbers, and hashed passwords listed among the leaked data. The claim was circulated by DailyDarkWeb, which tracks breach posts and dark-web leak activity. (x.com) That mix of data is enough to turn one leak into three different problems at once. Email addresses help with phishing, phone numbers help with text-message scams, and hashed passwords give attackers something they can try to crack offline if the hashing was weak or the password was common. (x.com) A hashed password is not the same thing as a plain-text password. It is more like a password run through a one-way blender, which means criminals usually cannot read it directly but can still guess millions of likely passwords and compare the results until they get matches. (haveibeenpwned.com) The number attached to this case is unusually large for a single retail site in the Gulf region. For comparison, security researchers at Kaspersky said they found nearly 10 million stolen account records across the Middle East in just the first half of 2024, with Saudi Arabia among the most affected countries. (me-en.kaspersky.com) That helps explain why e-commerce platforms are a favorite target. They sit on names, addresses, phones, order histories, and login credentials in one place, so one successful intrusion can produce a ready-made list for fraud, spam, account takeover, and impersonation. (me-en.kaspersky.com) Saudi Arabia already has a legal framework for this kind of incident. The Personal Data Protection Law came into force on September 14, 2023, and legal guides summarizing the law say organizations must handle personal data breaches through documented response and notification processes. (practiceguides.chambers.com, connectontech.bakermckenzie.com) Saudi regulators have also been tightening the technical side. The National Cybersecurity Authority says its Essential Cybersecurity Controls 2-2024 were updated to strengthen protection of information and technology assets, which puts more weight on governance, risk control, and operational security instead of treating cybersecurity as an afterthought. (nca.gov.sa) The third-party angle is where breaches like this usually spread. A marketplace can lock down its storefront and still have weak points in a cloud database, a customer-support vendor, a marketing plug-in, or a payment integration that touches the same customer records. (nca.gov.sa, connectontech.bakermckenzie.com) For users, the immediate risk is not just one stolen password. The bigger risk is password reuse, because a cracked password from a shopping site can be tried against email, banking, food delivery, and social media accounts within minutes. (haveibeenpwned.com) For companies that partner with marketplaces, the lesson is even less forgiving. If your brand handles checkout, shipping, customer messaging, or loyalty data, customers usually do not care which contractor failed first; they only see that their details leaked after doing business with all of you. (connectontech.bakermckenzie.com, nca.gov.sa)