On March 29, DataBreaches.net reported a confirmed hack of Singapore retail furniture chain Vhive. Previous coverage of the attack, as reported by ALTDOS threat actors and as reported by the firm on their site can be found here. At the time of that publication, ransom negotiations between the firm and the attackers appeared to have broken off.
At some point, however, it appears that Vhive agreed to pay $75,000 USD. But the firm reneged and missed the agreed-upon April 2 payment date. Within hours of them missing that deadline, ALTDOS attacked them for a third time and took over their mail server. Yesterday, in a series of emails, ALTDOS informed this site that VHive had
sent us a message today that their management intends to instead allocate funds to compensate their customers whom have been affected by the data breach. ALTDOS scan through their email server, apparently Vhive has not informed their customers individually with regards to the personal data breach. Based on research, it is required legally for Vhive to inform their customers of a personal data breach within 3 days from knowledge of the hack.
Not to worry, ALTDOS has already assisted Vhive to send a message to their customers, informing them about their personal data breach.
Indeed, ALTDOS demonstrated that they had control of Vhive’s email server and sent out emails to customers. Those emails told customers that Vhive had been hacked. A copy of the email, provided to DataBreaches.net, says, in part:
Due to this unfortunate breach of agreement by VHIVE, ALTDOS hereby inform you that 300,000 customers’s personal information will be published publicly. The first 10,000 customer records has been published on https://[redacted by DataBreaches.net] and 50 other public data dump sites. 20,000 additional records will be published each day, starting today until Vhive management agrees to our demand. This action is neccesary to punish VHIVE management for making empty promises to ALTDOS and showing no concern for the safety of their customers
ALTDOS has stolen all of VHIVE’s coding and databases, including 311,468 customer personal information, 352,210 delivery records, 471,553 payment records, 584,979 transaction records and all other financial or corporate data.
If customers attempted to email Vhive to ask if the email from the firm was for real, they received an auto-responder from ALTDOS. The auto-response stated that ALTDOS had compromised Vhive for the third time since March 22, and it linked to a data dump of customer data, warning that more would be dumped each day. The data dump contained the following fields: “firstname, lastname, email, password, address1,address2, postal, country, mobile.”
Even as of this morning, ALTDOS still appeared to be in control of Vhive’s mail server, but has informed DataBreaches.net that Vhive has regained control of it.
DataBreaches.net has reported on previous attacks by ALTDOS in Thailand and Bangladesh. The threat actor(s) focus on ASEAN (Association of Southeast Asian Nations) entities.
The Straits Times confirms that the police are investigating. DataBreaches.net sent an inquiry to the PDPC on Friday to inquire whether Singapore’s data protection commission was also investigating but has received no reply yet.