Roughly four million accounts for the online marketplace Quidd have been posted for free on multiple hacking forums. According to ZDNet sources, the original breach is credited to someone going by the alias “ProTag” and has been privately advertised for sale since at least October 2019. Although passwords were hashed using bcrypt, another user on the same forum as the original post is selling what they claim to be plain-text passwords for 137,518 Quidd accounts. A reply to the original post also claimed to have recovered nearly one million passwords. Cracking bcrypt hashes takes considerable effort and computing power, so it is entirely possible that the recovered passwords came from other sources and were matched to the accounts.
All Quidd users are advised to change their passwords as soon as possible. Using a password manager helps create strong, unique passwords for every site or service without reusing the same password for every account. According to Risk Based Security who found the dump, many professional email domains were included in the breach. Registering for online services using corporate email accounts is highly discouraged and should be avoided whenever possible. Criminals can use passwords associated with corporate email addresses from breaches of third-party sites to attempt to break into employee accounts (such as Office 365 or other corporate email accounts) if the same or similar password is used. Using multi-factor authentication (MFA) to protect corporate account remote access is an important defense against this type of attack. Breaches like this one that include email addresses also increase potential for spam or targeted phishing attacks.