100K Santander Mexico client records for sale on data sharing forum

CloudSEK has discovered a data leak that contains sensitive information of 100,000 Mexican Santander users, advertised to be in clear text format.

Discovery of the leak

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a surface web database marketplace, claiming to be the information of 100,000 Mexican users. 

The post was published on 16 Sep 2020 at 09:54 PM (IST). The poster claims to have 100,000 Mexican users’ data, in clear text format. The database is being sold for 250 USD in Bitcoins (BTC) Records shared by the actor could be relevant to the current year. 

The contents of the leak

The leaked database has the following schema: 

• Secuencia / u6acct / u6cvereg / u6numcto / dmssnum / dmaddr1 /  dmaddr2 /  u6delomu / u6estado / dmcity / dmzip / u6ladte1 / u6tel1 / u6ladte2 / u6tel2 / dmname / u6rfc / u6licrea

Data Sample

This is the sample provided by the threat actor:

Mitigation

1. Enable multi-factor authentication
2. Use strong password 
3. Don’t share OTPs with third-parties, as OTP is the only thing standing between threat actors and the victims’ accounts
4. Review all online accounts and financial statements for suspicious activity. 
5. Caution friends and family against threat actors impersonating you.
6. Regularly update your apps and any other software you use

Disclosure

CloudSEK performed its due diligence and notified Santander Mexico on 17-Sept-2020. However, Santander had not responded, at the time of publishing this article. If we receive a reply, it will be duly updated here.