Company Selling Social Media, Gaming Accounts, and Software Licenses Worldwide Suffered a Data Breach

The database also contained images of users, credit cards, passports and other forms of identification.

Cybersecurity Researcher, Jeremiah Fowler, has recently reported to vpnMentor about a non-password protected database that contained over 600,000 records. Upon further investigation it became clear that these records were customer support attachments. This included images of individuals holding their credit card or passport, and a wide range of other support related information.

The records belonged to a company called Z2U that is based in China. I immediately sent a responsible disclosure notice but the database remained open and publicly accessible for another week. Access was closed shortly after I sent a notice translated in Chinese. According to their website, “Z2U is a platform trying to build a freely and reliable trade environment between gamers and gamers”. However, the documents I saw indicate they are selling much more than game related accounts and services. Z2U appears to be a broker between individuals buying and selling everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+, and even Windows license keys at a fraction of the real price. What was more disturbing was seeing sellers offering viruses, malware or other malicious applications.

All of these companies have some form of data policy or terms of use agreement that prohibits selling, licensing, or the purchase of any account or access to services using someone else's account. Although Z2U claims to not sell stolen, hacked, or cracked accounts it is unclear what the verification process is other than buyers requesting a refund when the account is restricted, suspended, or no longer works. I saw a large number of refund requests for frozen accounts. Their customers were worldwide based on the identification documents contained in the database.

What the database contained:

• Images of credit cards, customers, and passports or other government issued identification documents.
• Records showing bank transaction payments that included IBAN numbers.
• User logins, emails and passwords for accounts. Order confirmations showing the buyer’s name, email, and details of their purchase.
• Software license keys for Microsoft, Norton, Kaspersky, Avira, Adobe Photoshop, and more.
• Screenshots of the customer support dashboard, communications, purchase histories, account credits, and refund requests.
• Records showing the sales of streaming accounts: HBO MAX, Netflix Premium, Disney+, and others.
• Records showing the sales of social media accounts: Facebook, Instagram, Twitter, and others.
• Amazon Prime accounts, and Amazon customer (buyer) and merchant (seller) accounts for sale.
• Gaming platform and other account passwords and login credentials.

The risks of this data being publicly exposed:

In a limited sampling of records I saw a large number of individuals holding their identity documents and credit cards with their faces clearly visible. These images are required by Z2U’s verification process and should have never been publicly exposed. This information could put users at significant risk of identity theft and fraudulent charges. The criminal could easily open new accounts or purchase products and use the same leaked images of victims to verify or validate the new fraudulent accounts.

In addition to exposing personally identifiable information (PII) and payment information, the images identified that a wide range of other accounts or access to paid services were sold on Z2U’s platform. This bypasses the validation processes that many social media companies put in place to prevent malicious or fraudulent activity on their platforms. The Amazon customer (buyer) and merchant (seller) accounts sold on Z2U also pose a risk of fraud. The buyer account could be used to make fake reviews and ratings or make purchases with stolen credit card information. The seller account could advertise counterfeit items or simply not deliver the goods that a buyer paid for.

Sharing or selling accounts raises many ethical and security concerns. I saw documents indicating users on Z2U were selling HBO MAX and Netflix Premium accounts for as little as $1.00, and Disney+ 3 month subscriptions for $5. For reference, Disney+ costs $109.99 per year while sellers on Z2U offer access for as low as $17 per year. In the UK it is against the law for users to share their passwords for services such as Netflix, Amazon Prime Video and Disney+.

The images also showed gaming currency, accounts, and login credentials for games such as Call of Duty, War Spear, Minecraft, League of Legends, Fortnite, and others. Some aged game accounts sold for more than $600. I saw online streaming platform access keys being sold that would allow the user to access a large selection of games. It should be noted that many of these offerings came with a VPN (virtual private network) or the buyers were offered to purchase the VPN separately.

Many of the refund requests were marked “Seller Refused to Provide Refund”. Anytime a customer is buying an account from a secondary market or potentially illicit marketplace they run the risk of not having their money returned or actually getting access to the account or goods they thought they were purchasing. Buyers have few options for a refund and can not contact the streaming or social network companies because they are violating the terms of service by selling or purchasing accounts and access.

I suspect these records were attachments to and from customer support. I also saw video files of where users filmed their screens to show login issues or payment problems. Z2U claims to have over one million positive reviews and even offers an affiliate program. There are many mixed reviews, both positive and negative, on independent review websites and Reddit.

The database was hosted on a server based in China and I saw a large number of documents and file names that were in Chinese. There could be significant intellectual property implications of selling accounts, license keys, and access to games, services, and licensed software applications. Many of the account login email addresses I saw for sale used Russian email accounts with the.ru domain extension. It is well known in the security community that Russia and China are among the most active locations for cybercrime and both countries have a reputation of being deeply engaged in dark web or malicious activity online.

Buying accounts or access credentials can create a much bigger security issue when customers are required to provide sensitive personal information to companies that operate in countries or regions with limited data protection. We imply no wrongdoing by Z2U or their customers and only highlight the details of our discovery to identify real world risks. In this data exposure there were thousands of images containing PII and payment or billing information. It is unclear how long the database was exposed or who else may have had access to these records.