MemeChat, Pampling and others fall victim of data leaks.
13 March 2022BREACHAWARE HQ
A total of 10 breach events
were found and analysed resulting in 4,819,861 exposed accounts
containing a total of 13 different data types of personal datum
. The breaches found publicly and freely available included MemeChat, Pampling, Vkusnye Sushi, Kwork and Telderi. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Locational Data, Usage Data, Socia-Demographic Data.
Data Breach Analysis
These breaches spanned platforms in social networking, gig economy services, and online retail, offering a snapshot of the diverse digital services storing large volumes of user data and the associated cybersecurity risks.One of the standout names from this set is MemeChat, a social platform focused on meme sharing and viral content creation, particularly popular in parts of South Asia. Despite its light-hearted nature, platforms like MemeChat typically require users to register using email addresses, phone numbers, and social handles. In combination with profile content and direct messaging features, the exposure of such information can become problematic, particularly for younger users or influencers whose digital identities are central to their personal brands.
Pampling, a Spanish-based e-commerce platform specialising in graphic T-shirts and artistic merchandise, was also among the breached entities. As with many retail sites, account databases can include customer emails, delivery addresses, purchase history, and payment-related metadata. Though often less targeted than banking institutions, e-commerce leaks can still lead to fraud, identity verification bypasses, and spam attacks.
In Russia, two popular online platforms were affected: Vkusnye Sushi, a food delivery service, and Telderi, an online marketplace for buying and selling websites and domains. Both reflect how breaches in localised services, especially those with a strong national or regional focus, can have significant ramifications. Vkusnye Sushi’s data may contain order histories, phone numbers, and delivery addresses, which could be misused for social engineering or doxing. Telderi, being involved in online asset transactions, raises concerns around account hijacking or domain theft if credentials or contact details are reused across services.
Kwork, a freelance and micro-tasking platform with a user base spread across Eastern Europe and Central Asia, also suffered a breach. Gig platforms like Kwork typically store a combination of personal data (usernames, emails, bios) and financial data (earnings, payout methods, linked accounts). As gig workers often operate across multiple freelance marketplaces, leaked information here can increase the risk of targeted phishing, impersonation, or account theft across related platforms like Fiverr, Upwork, or Payoneer.
What connects all of these breaches is the intersection of utility and identity, platforms that, while not necessarily central to someone’s digital life, still collect and retain enough sensitive data to enable profiling, targeted marketing, or worse.
For businesses operating in these verticals, the lesson is clear: no matter how niche the service, if it collects user data, it becomes a target. From meme creators to domain traders, every digital footprint is a potential attack vector, especially when aggregated across multiple breaches.
On a broader scale, this breach set reinforces the evolving threat landscape affecting mid-tier digital platforms, services that may not have the resources or incentives to implement top-tier security practices, but which collectively store millions of user records. As cybercriminals shift their focus from large-scale “big game” breaches to easily exploitable “mid-size” platforms, the number and frequency of such leak events are likely to continue increasing.
Ultimately, with nearly 5 million accounts exposed across platforms as varied as food delivery, microjobs, entertainment, and domain trading, this incident group is a reminder that personal data knows no industry boundary. From convenience apps to creative outlets, users must remain aware of where they create accounts, and businesses must treat all data as sensitive by default.