Paa.ge, a platform appearing to function as a link-in-bio and e-commerce solution for creators and merchants (with infrastructure linked to Lama.co), has allegedly been compromised. A threat actor has listed a massive database for sale, claiming it contains nearly 33 million rows of data. The breach appears to affect multiple storefronts utilizing the Paa.ge infrastructure, including merchants such as “Envie Le Banquet” and “Ephemera.”
According to the actor, the dataset spans “Order data, customer data, gift card data.” Analysis of the provided data samples indicates that the compromise is significant, exposing sensitive personal and transactional details.
The allegedly compromised data includes:
-
Customer Personal Information: Full names, email addresses, and phone numbers.
-
Physical Addresses: Shipping addresses including city, province, postal codes, and country codes (primarily France in the samples).
-
Order Details: Transaction IDs, purchase amounts, currency codes, and item descriptions.
-
Gift Card Content: Personal messages sent between users (e.g., birthday wishes), sender names, and recipient names.
-
Technical Metadata: Store IDs, referring URLs, and internal system timestamps.
