The listings featured on this site are from companies from which this site receives compensation. This influences: Appearance, order, and manner in which these listings are presented.
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Company Selling Social Media, Gaming Accounts, and Software Licenses Worldwide Suffered a Data Breach

Company Selling Social Media, Gaming Accounts, and Software Licenses Worldwide Suffered a Data Breach
Jeremiah Fowler Published on 4th April 2023 Cybersecurity researcher

The database also contained images of users, credit cards, passports and other forms of identification.

Cybersecurity Researcher, Jeremiah Fowler, has recently reported to vpnMentor about a non-password protected database that contained over 600,000 records. Upon further investigation it became clear that these records were customer support attachments. This included images of individuals holding their credit card or passport, and a wide range of other support related information.

The records belonged to a company called Z2U that is based in China. I immediately sent a responsible disclosure notice but the database remained open and publicly accessible for another week. Access was closed shortly after I sent a notice translated in Chinese. According to their website, “Z2U is a platform trying to build a freely and reliable trade environment between gamers and gamers”. However, the documents I saw indicate they are selling much more than game related accounts and services. Z2U appears to be a broker between individuals buying and selling everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+, and even Windows license keys at a fraction of the real price. What was more disturbing was seeing sellers offering viruses, malware or other malicious applications.

All of these companies have some form of data policy or terms of use agreement that prohibits selling, licensing, or the purchase of any account or access to services using someone else's account. Although Z2U claims to not sell stolen, hacked, or cracked accounts it is unclear what the verification process is other than buyers requesting a refund when the account is restricted, suspended, or no longer works. I saw a large number of refund requests for frozen accounts. Their customers were worldwide based on the identification documents contained in the database.

What the database contained:

  • Images of credit cards, customers, and passports or other government issued identification documents.
  • Records showing bank transaction payments that included IBAN numbers.
  • User logins, emails and passwords for accounts. Order confirmations showing the buyer’s name, email, and details of their purchase.
  • Software license keys for Microsoft, Norton, Kaspersky, Avira, Adobe Photoshop, and more.
  • Screenshots of the customer support dashboard, communications, purchase histories, account credits, and refund requests.
  • Records showing the sales of streaming accounts: HBO MAX, Netflix Premium, Disney+, and others.
  • Records showing the sales of social media accounts: Facebook, Instagram, Twitter, and others.
  • Amazon Prime accounts, and Amazon customer (buyer) and merchant (seller) accounts for sale.
  • Gaming platform and other account passwords and login credentials.

The risks of this data being publicly exposed:

In a limited sampling of records I saw a large number of individuals holding their identity documents and credit cards with their faces clearly visible. These images are required by Z2U’s verification process and should have never been publicly exposed. This information could put users at significant risk of identity theft and fraudulent charges. The criminal could easily open new accounts or purchase products and use the same leaked images of victims to verify or validate the new fraudulent accounts.

In addition to exposing personally identifiable information (PII) and payment information, the images identified that a wide range of other accounts or access to paid services were sold on Z2U’s platform. This bypasses the validation processes that many social media companies put in place to prevent malicious or fraudulent activity on their platforms. The Amazon customer (buyer) and merchant (seller) accounts sold on Z2U also pose a risk of fraud. The buyer account could be used to make fake reviews and ratings or make purchases with stolen credit card information. The seller account could advertise counterfeit items or simply not deliver the goods that a buyer paid for.

Sharing or selling accounts raises many ethical and security concerns. I saw documents indicating users on Z2U were selling HBO MAX and Netflix Premium accounts for as little as $1.00, and Disney+ 3 month subscriptions for $5. For reference, Disney+ costs $109.99 per year while sellers on Z2U offer access for as low as $17 per year. In the UK it is against the law for users to share their passwords for services such as Netflix, Amazon Prime Video and Disney+.

The images also showed gaming currency, accounts, and login credentials for games such as Call of Duty, War Spear, Minecraft, League of Legends, Fortnite, and others. Some aged game accounts sold for more than $600. I saw online streaming platform access keys being sold that would allow the user to access a large selection of games. It should be noted that many of these offerings came with a VPN (virtual private network) or the buyers were offered to purchase the VPN separately.

Many of the refund requests were marked “Seller Refused to Provide Refund”. Anytime a customer is buying an account from a secondary market or potentially illicit marketplace they run the risk of not having their money returned or actually getting access to the account or goods they thought they were purchasing. Buyers have few options for a refund and can not contact the streaming or social network companies because they are violating the terms of service by selling or purchasing accounts and access.

I suspect these records were attachments to and from customer support. I also saw video files of where users filmed their screens to show login issues or payment problems. Z2U claims to have over one million positive reviews and even offers an affiliate program. There are many mixed reviews, both positive and negative, on independent review websites and Reddit.

The database was hosted on a server based in China and I saw a large number of documents and file names that were in Chinese. There could be significant intellectual property implications of selling accounts, license keys, and access to games, services, and licensed software applications. Many of the account login email addresses I saw for sale used Russian email accounts with the.ru domain extension. It is well known in the security community that Russia and China are among the most active locations for cybercrime and both countries have a reputation of being deeply engaged in dark web or malicious activity online.

Buying accounts or access credentials can create a much bigger security issue when customers are required to provide sensitive personal information to companies that operate in countries or regions with limited data protection. We imply no wrongdoing by Z2U or their customers and only highlight the details of our discovery to identify real world risks. In this data exposure there were thousands of images containing PII and payment or billing information. It is unclear how long the database was exposed or who else may have had access to these records.

About the Author

Cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.

Jeremiah finds and reports data breaches and vulnerabilities. He identifies real world examples of how exposed data can be a much bigger risk to personal privacy. Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world.

Jeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries. After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen. What started as digital treasure hunting quickly became more than a hobby. He quickly became a well known security researcher and thought leader frequently appearing in the news.

He has been a keynote speaker at multiple security conferences and has given lectures and webinars to startups and Fortune 100 companies on the topics of cyber security, privacy, and data protection. Jeremiah lives by the saying "Do what you love, and you will always love what you do"