Share this analysis

'Excrement' delivery service that ships worldwide has been breached.

15 August 2022
BREACHAWARE HQ
Poo

A total of 22 breach events were found and analysed resulting in 22,559,432 exposed accounts containing a total of 20 different data types of personal datum . The breaches found publicly and freely available included Aptoide (2), CafeMom, GE.TT, gPotato and Banorte.. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Technical Data, Socia-Demographic Data, Social Relationships Data, Financial Data, Behavioural Data, Transactional Data, Communications Data.

Data Breach Analysis

The Aptoide breach points to persistent vulnerabilities in mobile app marketplaces, especially those operating outside mainstream app ecosystems. Users of such platforms face increased risks of account takeovers, malicious app installs, and identity theft.

The exposure involving Banorte carries significant implications for financial security, as banks are critical targets for fraudsters aiming to exploit sensitive personal or transactional data. Even a limited leak can trigger large-scale phishing attempts or fraud.

CafeMom and gPotato, while more niche, illustrate how legacy or entertainment-oriented platforms can still harbour high volumes of user data. Their breaches highlight the importance of decommissioning old systems securely and maintaining cybersecurity protocols even for non-transactional platforms.

The inclusion of GE.TT, a tool often used for casual or business file-sharing, may affect both personal and corporate users, raising concerns around leaked documents, proprietary files, and credential misuse.

These breaches reinforce the urgent need for organisations to enhance data governance and monitor third-party dependencies that may introduce vulnerabilities. Users impacted may face a long tail of issues including fraud, identity misuse, and privacy invasions, particularly if exposed information is reused across services.

Spotlight

Unfortunately, an 'excrement' delivery service which has been operating since 2014, was breached. The site offers users the choice of which type of excrement to send, from horse to pig excrement. Shipping world-wide and also accepting bitcoin, meaning users can send sh*t with anonymity. The actual breach consists of a variety of datasets and thousands of unique email addresses.

A professional looking Icelandic payment site's data caused a bit of a debate within the team, the site allows users to send money globally with low fees and a choice of currencies, including crypto. During our investigation, we came across a financial review site which shone some light on several things. The lack of SSL certification, that the website's was 6 months old, and the website traffic being almost null.

Perhaps this was a well-crafted scam page, or perhaps our paranoia got the better of us. Browser and device information, along with email addresses, were just some of the credentials which are now circulating.

And finally, a Mexican banking services company has been breached after having an altercation with a threat actor online. When they ordered him or her to take down some content that was connected to the company, they sighted financial and reputational risk. It doesn’t look like the threat actor was the cause of the breach but bought it from another and dumped it online for free. Millions of email addresses, along with physical addresses, were in the data breach, as well as mobile phone numbers.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0