Cybercrime
,
Data Security
,
Finance & Banking
Cybercrime Group ShinyHunters Advertises 160 Million Stolen Records
Vietnam’s central bank is probing a hack attack that breached its credit reporting division, potentially exposing sensitive personal data pertaining to millions of individuals. The cybercrime group ShinyHunters claimed credit for the breach.
See Also: Top 10 Technical Predictions for 2025
The State Bank of Vietnam said it first learned of the attack Wednesday, and that the breach only affected its National Credit Information Center, a credit reporting agency.
“Initial investigation shows signs of a cybercrime attack and intrusion, with the aim of stealing personal data,” the Vietnam Cyber Emergency Response Center, said in a Thursday statement, according to a machine translation. “The amount of illegally accessed data is still being quantified and clarified.”
VNCERT threatened legal repercussions for any individuals or organizations who download or share the stolen data without permission.
In a letter sent to financial institutions on Thursday, seen by Reuters, officials attributed the attack to the cybercrime collective ShinyHunters, namechecking previously targeted organizations as Google, Microsoft and Qantas, reported the news agency.
The government letter reportedly added: “The incident has not disrupted operations or caused any damage, and the credit information service system remains fully functional.”
On Friday, the central bank issued a statement designed to reassure the public that IT systems at the country’s commercial banks remain secure, as do their accounts, transaction history and financial data, reported Hanoi broadcaster Voice of Vietnam.
The central bank said its credit reporting unit is one of four organizations in the country authorized to supply credit information services. “The credit data it collects does not include bank account numbers, account balances, savings books, payment accounts, debit or credit card numbers, CVV/CVC codes or clients’ transaction histories,” Voice of Vietnam reported.
On Monday, the government published a statement warning that reports suggesting other government agencies or sectors may have also been breached – including banking, delivery services, energy and transport – are false, reported local media.
ShinyHunters Claims Credit
News of the attack first surfaced in a Sept. 8 post to Telegram by ShinyHunters, which claimed to have stolen “the entire database of the Credit Institute of Vietnam.” The group said this comprised over 160 million records and included personally identifiable information, information on credit payments and credit cards, government-issued ID numbers, military IDs, income statements, debts owed and more. The group published a sample of stolen data, advertising the complete set for the “negotiable price” of $175,000.
Later that day, a representative of ShinyHunters – lately calling itself Scattered Lapsus$ Hunters – told the privacy researcher known as Dissent that a member of the group breached the bank’s systems using a known vulnerability against end-of-life software for which patches were no longer available.
The group said it wasn’t attempting to ransom the data, since they didn’t think the central bank would ever pay. Scattered Lapsus$ Hunters in a semi-coherent screed on Friday announced its putative departure from cybercrime, stating that any additional data leaks stemmed from old activity (see: Scattered Lapsus$ Hunters Announces Closure).
For a financially motivated group such as ShinyHunters, the Vietnamese bank data is valuable because it includes “comprehensive credit reports, PII, financial records and government IDs,” all of which can be “extremely valuable on the darkweb,” often retailing for $10 to $100 for each full identity profile, or “fullz,” said threat intelligence firm Resecurity in a Saturday blog post.
The stolen data was first marketed on a cybercrime forum called “Breachstars,” at what Resecurity said was a “relatively high” price for such data. “Considering the scale of the issue, such a price may be rational, as it would give the buyer substantial visibility into Vietnam’s financial system,” it said. “It may also be used for fraud due to the disclosure of sensitive information about the victims, particularly banking customers.”
With the country’s population estimated at 106 million, the breach count of 160 million records – if accurate – may reflect the CIC retaining historical data, or potentially having multiple entries for the same individual, Resecurity said.
The Vietnam leak follows a seemingly nonstop flurry of attacks in recent months that involved stealing data from numerous Salesforce customers, as well as disrupting systems at British retailers, airlines, financial services firms and lately, vehicle manufacturers such as Jaguar Land Rover. The hackers previously also claimed breaches of the U.S. Department of Homeland Security, Britain’s National Crime Agency and Ministry of Justice, and government agencies in Brazil, France and India.
Experts remain skeptical that the group will be bowing out anytime soon, and said members may be trying to buy time to plan their next move, as pressure from law enforcement continues to mount.