This week, I drafted a commentary mocking ROMWE’s for claiming that they were notifying their consumers about a breach out of “an abundance of caution.” Then I decided to try to be nice, and I trashed it.
Yesterday, Marco de Felice wrote a piece about the breach that shows that it was even worse than ROMWE admitted to. Not only does he dispute their claim about the breach only impacting some consumers’ “usernames and passwords” by pointing out that the breach impacted more than 7.3 million customers, but he also points out that he had found some data from the breach on the dark web as early as February 2020 — months before ROMWE discovered it after other data appeared on a popular forum.
Read SuspectFile’s report on this breach. I’ve asked him how and where he found the earlier data dump, so there may be an update to this post.