Leak of the Week – 8th September

This week’s Cyber Intelligence House, Leak of the Week highlights a breach involving Otter.ro (Otter Distribution SRL), a Romania-based footwear and accessories retailer with both online and physical stores.

In February 3, 2025, a dataset labeled “otter_2025-02-03.sql” and advertised as “262K OTTER.RO DATABASE” was shared on the We Leak Database forum. The leak consists of a single SQL dump of approximately 26 GB, indicating a full e-commerce database export. Analysis confirms exposure of customer records, order metadata, administrator accounts, and API/OAuth artifacts.

Sensitive excerpts from the leak:
– admin_user (… email, username, pass…, rp_token, rp_token_created_at)
– oauth_consumer (entity_id, created_at, updated_at, name, key, secret,
callback_url, rejected_callback_url)
– oauth_token (entity_id, consumer_id, admin_id, customer… verifier,
callback_url, revoked, authorized, created_at)
– api_session (user_id, logdate, sessid)
– customer_flowpassword (flowpassword_id, ip, email, requested_date)

Implications
For Individuals:
1. High risk of credential stuffing and account takeover using leaked emails,
password resets, and session identifiers.
2. Exposure to phishing campaigns leveraging order histories and personal contact details.
3. Privacy risks from leaked addresses, session tokens, and transaction records.

For Otter.ro:
1. Potential for administrator account compromise via leaked admin_user credentials or reset tokens.
2. Risk of integration abuse from exposed OAuth keys, secrets, and tokens tied to third-party systems.
3. Regulatory obligations under GDPR with associated financial and reputational impact.

Supply Chain Risks:
Leaked OAuth credentials and session tokens could enable malicious use of third-party logistics, marketing, or payment integrations tied to Otter.ro’s platform.

Cyber Intelligence House’s Recommendations:
– Reset and rotate all OAuth tokens, consumer keys, and admin credentials. Invalidate exposed reset tokens and enforce immediate password resets.
– Enforce MFA for all administrator and API accounts, restrict access by IP, and review role-based privileges for misuse.
– Monitor and audit logs for unusual API or token activity, implement WAF/IPS rules for e-commerce endpoints, and track for credential reuse.
– Comply with data protection obligations by notifying impacted customers,
regulators, and providing password hygiene guidance.
– Expand external monitoring to detect further redistributions of Otter.ro’s data on forums and Telegram channels.