On the forum R*******, an individual is selling over 17GB of personal data of Vietnamese users. According to this person, the data includes names, dates of birth, profile pictures, home addresses, email addresses, phone numbers, ID card numbers, front and back images of ID cards, and selfie photos/videos.
The number of Vietnamese individuals whose information has been stolen has not been disclosed; however, based on the number of files, this figure may approach nearly 10,000 people. The price to acquire this data is $9,000 (equivalent to 207 million VND). The seller only accepts payment via cryptocurrency Bitcoin or Litecoin.
What is concerning is that according to this person’s claim, the 17GB of data was collected from Pi Network, an app for mining cryptocurrency that has attracted a lot of interest from Vietnamese users recently.
It is speculated that this may be data from the KYC (Know Your Customer) process of Pi Network. KYC is a common procedure for financial applications, where service providers require users to provide some personal information to verify their identity.
In the case of Pi Network, to participate in mining Pi and claim ownership of the mined Pi coins, users need to upload photos or ID cards in addition to basic information like name, age, date of birth, and phone number. Instead of directly conducting the KYC process, Pi Network is collaborating with another app called Yoti to verify users’ identities.
It remains unclear whether the data was leaked by Pi Network itself or if hackers exploited a vulnerability in Pi Network or Yoti to steal the data. Furthermore, despite the seller’s claims, it cannot be definitively confirmed that this data comes from Pi Network, as Pi Network and Yoti currently do not accept ID cards as a form of KYC, only accepting driver’s licenses or passports.
As of now, the data has not been sold, and “user information is still safe,” according to the seller. However, this could change at any moment, and the potential for user data to be misused for malicious purposes is entirely possible.
Update: The post selling this data has been removed from the forum for unspecified reasons. The account selling the data has also been banned by the forum’s admin for fraudulent behavior in another transaction.