Brinztech Alert: Alleged “Combo” Database of 1.6M German Citizens (Otto, Flaschenpost, Baur) on Sale

Dark Web News Analysis

A threat actor on a known hacker forum is offering a consolidated database containing the personal data of 1,694,726 German individuals. The seller claims this dataset was aggregated from multiple major German e-commerce and delivery platforms, specifically naming Otto.de, Flaschenpost.de, Baur.de, and Cyberport.de.

Brinztech Analysis:

• The Nature of the Leak (“Combolist”): The fact that the data is “compiled from multiple websites” suggests this is an Aggregated Database (or “Combolist”) rather than a fresh, direct breach of Otto or Cyberport’s core servers today. Attackers often merge data from various older scrapes and third-party marketing leaks to create a “Master File” of German citizens.
• The Data: The dataset is described as comprehensive and formatted in CSV, containing:
  • Identity PII: Full Names, Dates of Birth (DOB), Gender, and Occupation.
  • Contact Info: Email Addresses, Phone Numbers, and Physical Addresses.
• The Targets: The named sources are pillars of German e-commerce:
  • Otto / Baur: Major general retailers.
  • Cyberport: A leading electronics retailer.
  • Flaschenpost: A popular beverage delivery service (high-frequency use).

Key Cybersecurity Insights

This alleged data sale presents a specific threat to the DACH region (Germany, Austria, Switzerland):

• “Paket” Smishing (DHL/Hermes): Germany relies heavily on delivery services. With 1.6 million active phone numbers and addresses linked to “Otto” and “Flaschenpost” shoppers, attackers can launch massive Smishing campaigns pretending to be DHL or Hermes.
  • Scenario: “Ihr Paket von Otto.de konnte nicht zugestellt werden. Bitte aktualisieren Sie Ihre Daten hier.” (Your package from Otto could not be delivered. Update details here). The context is perfect.
• Occupation-Based Targeting: The inclusion of “Occupation” is rare in standard e-commerce leaks. This allows for highly sophisticated attacks. Attackers can filter for “Accountants” or “IT Administrators” to launch Business Email Compromise (BEC) attacks against their employers, using the personal data to build trust.
• Identity Theft (Schufa/Bonität): In Germany, identity theft can severely impact a victim’s Schufa score (credit rating). With Name, DOB, and Address, criminals can order goods on “Rechnung” (invoice/pay later) in the victim’s name, leaving the victim with the debt and a ruined credit score.
• Credential Stuffing: Users of Flaschenpost (a convenience app) likely use the same password for their email or social media. This list will be used to brute-force accounts across the German web.

Mitigation Strategies

In response to this aggregated leak, German consumers and the affected platforms should take defensive measures:

• Consumer Vigilance (The “Rechnung” Scam): German citizens should monitor their physical mail for invoices for goods they did not order. If received, report it to the police immediately as “Identitätsdiebstahl” (Identity Theft).
• Platform Response: Otto, Baur, and others should investigate if this data matches their internal records. If it appears to be a credential stuffing output (where attackers scraped profile data using stolen passwords), they must force password resets for affected accounts.
• Address Verification: E-commerce companies should implement stricter fraud checks for “Pay Later” (Kauf auf Rechnung) orders, perhaps requiring 2FA confirmation via SMS before approving an order to a new address.
• Password Hygiene: Users should check if their email is in the leak (via services like Have I Been Pwned or HPI Identity Leak Checker) and change passwords immediately.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com