A Russian hacker has sold on a top-tier underground forum close to 900,000 gift cards with a total value estimated at $38 million.

The database contained cards from thousands of brands and may originate from an older breach at the now-defunct discount gift card shop Cardpool.

Suspiciously low price

The seller did not disclose how they got the cache but claimed that it included 895,000 gift cards from 3,010 companies, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart.

As is common practice when selling data in bulk on hacker forums, the seller set up an auction that started at $10,000, with a buy-now price of $20,000. It did not take long for a buyer to end the sale.

Threat intelligence firm Gemini Advisory (acquired by Recorded Future) says that gift cards typically sell for 10% of their value. In this case, the price was significantly lower, around 0.05%.

Giving them up for a fraction of the value is abnormal, which could mean that the seller’s claim of $38 million was an overstatement to get attention and find a buyer quickly.

Another theory from Gemini Advisory is that the gift card validity rate was likely lower, meaning that many were no longer active or had a low balance.

Clues point to Cardpool breach

A day after selling the gift cards, the same actor offered to sell incomplete data from 330,000 debit cards in an auction that started at $5,000 and a buy-now price of $15,000.

The info available included billing addresses, card number, expiration date, and the issuing bank’s name. It did not contain the cardholder name or the CVV code required for card-not-present (CNP) transactions, like online purchases.

Gemini Advisory’s analysis concluded that these payment cards came from a breach at Cardpool.com between February 4, 2019, and August 4, 2019. With the store accepting card payments and both databases sold by the same actor, it is logical to assume that it is also the source for the gift cards.

“Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials” – Gemini Advisory

As per the Payment Card Industry Data Security Standard (PCI-DSS), online stores cannot store the CVV code; they can choose whether to save cardholder names or not. This would explain the lack of the two types of data from the seller’s cache.

The hacker selling the two databases is a long-time member of the underground community, with posts on dark web forums since 2010, says Gemini Advisory. Previous offers count large collections of stolen payment card data, databases, and personally identifiable information (PII) of U.S. residents.