Brinztech Alert: The Alleged Database of Rewardy is Leaked

Dark Web News Analysis

The dark web news reports a potential data breach involving Rewardy, a platform likely associated with digital rewards or loyalty programs. A threat actor on a hacker forum is offering a database allegedly stolen from the company.

The leak is described as a User Database in JSON format, a structure commonly used in modern web applications and mobile APIs. The breach reportedly occurred in December 2025. While some initial reports flagged this date as a “future” anomaly, in the current timeline (February 2026), this represents a relatively recent compromise that may have gone undetected for two months.

Key Cybersecurity Insights

Breaches of loyalty and rewards platforms are “Tier 1” consumer threats because these accounts often hold “liquid” value (points convertible to cash or gift cards) but lack banking-grade security:

• The “Point Draining” Threat: The primary motivation for hacking a rewards platform is financial. Attackers can automate the login process using the leaked JSON data to access accounts and Drain Loyalty Points. These points are quickly converted into gift cards or cryptocurrency before the legitimate owner notices.
• Credential Stuffing Fuel: Users often view rewards apps as “low risk,” leading them to recycle passwords from other sites. A leak here provides a fresh “Combolist” (Username + Password) that attackers can test against high-value targets like email providers or banking apps.
• JSON API Vulnerability: The fact that the data is in JSON format suggests the attacker likely exploited an Insecure Direct Object Reference (IDOR) or a leaky API endpoint. Instead of stealing a whole database file (like SQL), they likely scraped user records one by one by iterating through user IDs on an unsecured API.
• Social Engineering: With access to user history (e.g., “You recently claimed a $50 Amazon card”), attackers can send convincing phishing emails: “Problem with your recent reward redemption. Click here to verify.”

Mitigation Strategies

To protect user balances and platform integrity, the following strategies are recommended:

• Forced Password Reset: Rewardy must immediately force a password reset for all affected users to invalidate the stolen credentials.
• Point Freezing: Temporarily suspend the “Redeem Points” feature or add a manual review step for large redemptions until the breach is contained.
• API Security Audit: The engineering team should urgently review all API endpoints for Broken Object Level Authorization (BOLA) vulnerabilities to stop the scraping.
• MFA Implementation: Enforce Multi-Factor Authentication (MFA) for any redemption activity. A simple OTP code sent to the user’s email before points are spent can stop 99% of draining attacks.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com