Share this analysis

Webzen, Skrill and others fall victim of data leaks.

07 November 2021
BREACHAWARE HQ
Payments

A total of 22 breach events were found and analysed resulting in 8,816,848 exposed accounts containing a total of 17 different data types of personal datum . The breaches found publicly and freely available included Webzen (URL Redirected), Skrill (URL Redirected), PSP ISO, Manga Traders and Groupon. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Financial Data, Contact Data, Locational Data, Transactional Data, Technical Data, Usage Data, Documentary Data, Communications Data, Socia-Demographic Data, Social Relationships Data.

Data Breach Analysis

The compromised platforms spanned a variety of sectors including gaming forums, manga trading communities, digital payment systems, and online retail environments, highlighting once again that privacy and data security risks are not limited to headline-making giants, but are prevalent throughout the digital ecosystem.

This batch of breaches involved 17 different categories of personal data, though this analysis does not infer specifics about which platforms were associated with which data types. Instead, the emphasis here is on the nature of the industries impacted, the likely characteristics of their user bases, and the broader implications these kinds of exposures carry.

Digital Payments and Redirected Financial Accounts: Skrill and Webzen

Two of the entities included in this round, Skrill and Webzen, were referenced through URL redirection events, suggesting that data originally stored or processed on these platforms may have been re-hosted, mirrored, or circulated via secondary sources. While redirection may point to legacy or indirect leak pathways, the implications for users remain significant.

Skrill, a well-known digital wallet and payment service, is widely used by individuals engaged in online gambling, forex trading, affiliate marketing, and freelance contracting. A breach linked to Skrill may impact users who rely on the platform for regular fund transfers, cross-border payments, or as an alternative to traditional banking. Even if direct financial credentials are not exposed, associated personal data (email addresses, usernames, or contact information) can be leveraged for phishing schemes, account impersonation, or targeted scams, particularly within crypto-adjacent and high-risk trading communities.

Webzen, primarily recognised for its online gaming services, particularly MMORPGs (Massively Multiplayer Online Role-Playing Games), may seem a surprising companion to Skrill in a breach summary. However, Webzen’s games often include micro-transaction systems and real-money trade (RMT) economies. As such, its user base overlaps with audiences sensitive to both identity and financial intrusion. A redirection-based breach linked to Webzen could expose gaming credentials, associated emails, and potentially billing metadata, useful for bad actors seeking to hijack game accounts or launch spear-phishing campaigns mimicking in-game services.

These cases reinforce that payment providers and hybrid entertainment-commerce platforms remain attractive targets, not just for their stored data, but for their access to cash flows, token-based economies, or valuable personal identifiers.

Legacy Gaming and Fan-Based Communities: PSP ISO and Manga Traders

Several of the compromised platforms in this batch serve niche online communities with long histories of user-generated content, including PSP ISO and Manga Traders. These sites, though often lightly moderated and community-driven, frequently host large numbers of user accounts stretching back years, many of which may have reused passwords or outdated credentials still valid elsewhere.

PSP ISO is part of a broader category of ROM sharing and gaming backup sites, often frequented by hobbyist gamers, modders, and retro console enthusiasts. Although many such forums operate on the fringe of legal acceptability, they often require account registration and facilitate extensive user interaction, resulting in surprisingly rich datasets. These can include usernames, email addresses, IP logs, and private messages, data valuable to attackers seeking entry points into more mainstream platforms or simply aiming to de-anonymise participants in semi-anonymous spaces.

Manga Traders, similarly, is a legacy site within the fan translation and manga sharing ecosystem. Communities like these tend to value pseudonymity and may not expect that their decades-old accounts could resurface in modern breach repositories. However, their longevity makes them high-value targets for identity correlation: attackers can cross-reference email addresses from such breaches with newer, more sensitive platforms, creating a composite profile of users based on online behaviour patterns.

These kinds of community-driven platforms, while not as prominent as social media or eCommerce sites, serve as cultural and behavioural repositories, containing not just credentials, but potentially revealing information about personal interests, ideology, and digital history.

eCommerce and Coupon Platforms: Groupon

The inclusion of Groupon in this set of breaches reflects the ongoing vulnerability of commercial platforms that manage large user bases, especially those involving transactional incentives, such as coupons or promotional codes. Groupon users often store email addresses, location data, and sometimes partial payment information in exchange for access to daily deals or discounted services.

Because Groupon accounts are frequently tied to local purchasing behaviour, their exposure introduces new risks beyond conventional identity theft. For example, attackers could impersonate customers to vendors, exploit location-specific promotions for fraud, or use exposed credentials for credential stuffing on affiliated shopping platforms. Additionally, since Groupon accounts are occasionally shared within households or used across multiple browsers and devices, they are often left with persistent logins, increasing the risk of session hijacking.

While Groupon itself has faced scrutiny and infrastructure updates over the years, the persistence of data from older breach events, and the apparent circulation of redirected or archived account information, demonstrates how legacy data rarely disappears entirely from the dark web and open breach forums.

Broader Observations and Affected Populations

Across these 22 breaches, several patterns emerge in terms of the likely user groups affected and the sectors most at risk:
- Gaming enthusiasts, particularly those involved in older platforms, emulator-based communities, or RMT ecosystems.
- Online shoppers and discount-seekers, often lured by the convenience of platforms like Groupon, who may not realise the tradeoff in data exposure risk.
- Manga fans and content sharers, whose participation in niche forums or culturally specific spaces may be long forgotten but still accessible via historic data leaks.
- Digital finance users, especially those outside mainstream banking systems, reliant on payment processors like Skrill.

For many of these users, the interconnectedness of their digital footprint, from shared usernames and passwords to email reuse across platforms, poses a growing risk. Attackers don’t need access to high-value credentials to initiate campaigns; they can triangulate data points across old breaches to build comprehensive targeting profiles, especially when users assume niche or historic accounts are dormant or forgotten.

Conclusion

This set of 22 publicly available breach events involving 8.8 million user accounts serves as a reminder that data breaches are not just a function of volume, but of longevity and context. Legacy platforms like Manga Traders, payment facilitators like Skrill, and voucher marketplaces like Groupon all play different roles in the digital lives of consumers, but when breached, they expose users in overlapping and often unpredictable ways.

Even when data appears through redirection or archival sources, its downstream impact can remain significant, particularly as attackers grow more sophisticated in aggregating and weaponising older datasets. For users, this means that digital hygiene practices, such as regular password rotation, two-factor authentication, and email compartmentalisation, remain essential, even for platforms long since abandoned.

Ultimately, the value of breached data isn’t determined solely by what’s taken, but by how it can be used next.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0