Data of 90K Mastercard Priceless Specials Members Shared Online
A database containing sensitive information of about 90,000 German Mastercard "Priceless Specials" loyalty program members shared online following a breach discovered on August 20 was added to data breach site Have I Been Pwned on September 1.
The data was made available on the Internet after the breach, with customers' names, payment card numbers, partial credit card data, IP addresses, email addresses, phone numbers, gender, and dates of birth being included in the leaked info.
Database dump added to Have I Been Pwned
Mastercard disclosed the data leak incident to the German and Belgian Data Protection Authorities (DPA) on August 23 and, on September 1, data breach site Have I Been Pwned added it to its own database.
According to Have I Been Pwned the database dump contains the details of 89,338 German Mastercard customers with "Priceless Specials" bonus program accounts, with 46% of addresses part of this breach already having been added to the platform as part of previous database dumps.
Have I Been Pwned subsequently notified all impacted users of the breach and is now also allowing the ones that don't have the alerts enabled to check if their e-mails are part of the leak incident on their own.
Priceless Specials loyalty program shut down
Mastercard started an investigation immediately after learning of the data breach and requested all sites where the leaked customer information was hosted to delete all the personal info belonging to its Priceless Specials members.
After discovering the data leak, Mastercard also suspended the German "Priceless Specials" bonus program and took down its website, leaving up only a message stating that the "issue has no connection to MasterCard's payment network."
Juliane Schmitz-Engels, Mastercard's Head of Communications for Germany and Switzerland told BleepingComputer that the breach involving the Specials German loyalty platform managed by a third-party vendor, "which resulted in the unauthorized distribution of certain information."
Mastercard said at the time that "the incident is limited to the Specials program" and that the only payment card information leaked in the incident were payment card numbers:
Based on the facts known at this time, the following personal information is affected: payment card number, title, name, date of birth, gender, mailing address, e-mail address and telephone number and the time of first registration with Priceless Specials. Neither access data nor passwords were published. The expiration date of payment cards and the check digit (CVC) were also not published.
What's next for Mastercard Priceless Specials members?
Customers who want to check if their info has been exposed as part of this breach can enter their email address into https://haveibeenpwned.com/ to receive a report if their info has been found in any breaches added to the platform, including the Mastercard "Priceless Specials" one.
Given that the database dump has already been shared online through several websites, the program's account credentials will most definitely be used in future credential stuffing attacks.
Credential stuffing attacks allow attackers to use credentials compiled from data leaks originating from various companies' data breaches to attempt and gain access to accounts registered on other sites.
These attacks work especially well to compromise the accounts of users who reuse the same password on all or several websites, therefore, the best way of avoiding getting your account hacked following a breach is to always use unique passwords for all your online accounts.
If you use your Mastercard "Priceless Specials" password with accounts registered on other sites, you should immediately change the passwords at all sites that it is also used. By not doing so, you risk having those accounts compromised as well in the event of future attacks.