Rewardy, an online “get-paid-to” (GPT) platform that rewards users for completing digital tasks, has allegedly been compromised. A threat actor is currently selling a database claiming to contain the personal and activity information of 2.2 million users on a cybercrime forum. The breach reportedly occurred on December 8, 2025. The seller is asking for $1,500 in cryptocurrency (XMR/BTC) for the exclusive sale of the 14GB MongoDB dump.
According to the actor, the compromised data spans 2.2 million users, with approximately 416,000 records containing password hashes. The allegedly compromised data includes:
-
Usernames and Full names
-
Email addresses
-
Password hashes (bcrypt)
-
IP addresses (Historical logs with timestamps)
-
Country codes
-
Device IDs
-
Cryptocurrency wallet addresses (e.g., Litecoin withdrawal addresses)
-
Transaction IDs and withdrawal history
-
Account activity logs (Offers completed, watch time, earnings)
-
Account status (including ban history and reasons)
