Pakistan Data Breach: iShopping Exposes 525,459 Customer Records

HEROIC analysts found that 525,459 iShopping customer records were exposed in a database breach publicly disclosed on July 1, 2024. iShopping is a Pakistan-based online retail platform, and this breach represents one of the largest consumer data exposures traced to the Pakistani e-commerce sector in 2024. The compromised records contain email addresses and phone numbers, providing attackers with direct contact channels for phishing, vishing, and SMS-based fraud campaigns targeting Pakistani consumers.

Why This Is Dangerous

When over half a million email addresses and phone numbers are extracted from a regional e-commerce platform and distributed on underground forums, they create a ready-made targeting list for threat actors focused on the Pakistani market. Because the exposed data includes both email and phone contact details, attackers can approach victims through multiple channels simultaneously, increasing the likelihood of a successful social engineering attempt. Regional breach data is also frequently cross-referenced with other leaked datasets to build richer profiles on individual targets.

What Was Exposed

• Email Address
• Phone Number

Why This Matters

Phone numbers and email addresses form the foundation of phishing and vishing operations. Attackers can use this data to send fraudulent order confirmation messages, fake delivery alerts, or impersonate iShopping customer support in order to harvest payment details, account credentials, or national identification numbers from unsuspecting customers. Bulk contact lists of this size are also sold to fraudsters who operate mass SMS spoofing campaigns. At scale, even a low success rate translates to thousands of successful fraud incidents.

How Database Breaches Work

A database breach occurs when an unauthorized party gains access to a back-end data store and extracts records at scale. Common attack paths include SQL injection, exploitation of unpatched database software, compromised administrative credentials, or misconfigured cloud storage that exposes database backups publicly. Once inside, attackers can export millions of records in minutes. The resulting data dumps are typically packaged and distributed on dark web forums, sold to other threat actors, or used directly in automated attacks.

Check If You Are Affected

HEROIC offers a free identity scanner that checks your email address against more than 400 billion exposed records, including breach data of this type. Visit heroic.com to run a free scan and find out whether your contact information appears in known data dumps. If you have an iShopping account, be alert to unsolicited messages claiming to be from the platform and avoid clicking links in unexpected emails or SMS messages.