A threat actor has allegedly breached a company that operates a large portfolio of mobile applications promising users money and cryptocurrency rewards. In a post on a dark web forum, the individual claimed to have hacked the company and leaked a database containing sensitive information belonging to the users of approximately 24 different “reward” apps. These applications typically function by having users complete tasks, watch videos, or participate in offers in exchange for small payments.
The compromised data was made available for download via a file-sharing link posted on the forum. The threat actor claims the breach exposed a significant amount of user information. The potential exposure of session tokens is particularly concerning, as it could allow malicious actors to hijack user accounts without needing a password. The full scope of the incident is not yet known, and it is unclear if the developer of the applications has acknowledged or responded to the alleged breach.
The allegedly leaked data includes:
- IP Addresses
- Emails
- Names
- Session Tokens
The following applications were named in the alleged breach:
- fox coins
- sweet earn
- cash zoo
- cash dabba
- buzzy coin
- richy dollars
- zap reward
- cash freak
- reward master
- king coin
- cash cobra
- easy reward
- win me
- reward keyboard
- bear reward
- playwin
- reward joy
- candy reward
- reward station
- cash guru
- 2xrewards
- task bee
- coupon hub
