More than 600,000 records of stolen data and customer information have been exposed from a Chinese website that sells stolen accounts and personal information.

Jeremiah Fowler, a cybersecurity researcher, broke the news via vpnMentor about a database that was not password protected and contained over 600,000 records.

Upon investigation, it was discovered that these records were customer support attachments, including sensitive information such as images of individuals holding their credit cards or passports, as well as other support-related data.

The website in question is called Z2U and operates as a gaming marketplace.

Although it presents itself as a “trade environment between gamers and games,” a deeper investigation, including analysis of the leaked data, reveals that it is involved in much more than just gaming transactions.

Based on the documents reviewed by Fowler, it appears that Z2U is not only selling game-related accounts and services but also acting as a broker for individuals buying and selling a wide range of questionable items.

However, the documents I saw indicate they are selling much more than game related accounts and services.

Z2U appears to be a broker between individuals buying and selling everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+, and even Windows license keys at a fraction of the real price.

What was more disturbing was seeing sellers offering viruses, malware or other malicious applications.

Jeremiah Fowler

Even more concerning is the fact that some sellers on the site are offering viruses, malware, and other malicious applications for sale.

The uncovered database proved to be a goldmine of stolen information.

It contained a wide range of sensitive data, such as images of credit cards, passports, and other identification documents.

Additionally, the database contained records of bank transactions, including international bank account numbers, as well as user logins, emails, and passwords for various accounts, software license keys, and other related data.

The leaked database also included the buyer’s name, email address, and purchase date.

It documented sales of access to streaming and social media accounts, as well as other related purchasing details.

This means that the database not only compromised the security of stolen information but also revealed information about those who purchased illegal items from the website.

Despite the site’s illicit activities, Fowler acted responsibly and reported the exposed database to Z2U.

The database was taken down a week after Fowler’s initial contact, and the duration of the database’s exposure and the identity of any unauthorized users who accessed it remains unknown.