A Massive Data Leak in a Cybercriminal Group Exposed Over 8 GB of Data Belonging to PayApp.mx, a Mexican platform offering mobile top-ups for Telcel, Movistar, AT&T, and Unefon, as well as service payments for CFE, Telmex, and Infonavit, and the sale of digital pins for Netflix, PlayStation, Xbox, and Cinépolis. More than a million records of mobile top-ups (including cell phone numbers, dates, amounts, and transaction IDs), internal transfers with user credentials, email addresses, PINs, passwords, tax IDs (RFC), addresses, names, and banking data were compromised.
The leak also exposed access logs, HTTP request logs, session tokens, and files containing detailed information on financial transactions and user accounts. What began as a convenient tool for thousands has now turned into a digital security nightmare. Beyond the scale of the breach, this incident highlights a harsh reality: many platforms are still unprepared to properly protect their users' information.
The leak came to light thanks to a user known as Nick Diesel, a data trafficker with a history of sharing stolen databases on underground forums. This time, the sheer volume, level of detail, and sensitivity of the data place thousands of users at risk of falling victim to fraud.
Nick Diesel is a name that already sends chills through cybersecurity circles. He is a well-known data trafficker operating in underground cybercrime forums, particularly those in Russian-speaking circles. Over the years, he has been behind several massive leaks in Mexico, affecting banks, government institutions, and private companies. Among his most serious "achievements" are:
The leak of 700,000 payroll records from FastNom, exposing user, vendor, and employee information, including banking data.
The theft of banking data of 80,000 Mexicans after hacking the ticketing service DeBoleto.mx, revealing personal and financial information.
The sale of a database containing data of 1.2 million retirees, including names, emails, phone numbers, CURP, RFC, and social security numbers.
Read more: UK Scam in Mexico Now Uses Numbers from Spain and the U.S.
In the case of PayApp.mx, the biggest concern is not just the amount of stolen data but the completeness and detail of the information leaked. Access credentials (usernames, passwords, and tokens) of those operating the platform were found, along with real-time records of top-up transactions, server logs, and even access routes used via web and WhatsApp.
Everything points to the system running on an automated API that handled the top-ups and generated access tokens, but it lacked robust security protocols.
In total, the files contain more than a million individual top-up records. Each one includes data such as: the phone number that made the top-up, the beneficiary’s number, the amount, the provider, the date of the sale, the time the system spent in the queue, the transaction ID, errors, and even internal notes.
Read more: Scam Designs: How Hackers Use UX/UI to Trick You
The risks from this breach are quite clear. With all the exposed information, criminals have everything they need to launch highly convincing phishing campaigns. They could pose as the platform itself, contact users, and claim they need to "reactivate their account" or request small payments to restore access.
It wouldn’t be hard for someone to fall for such a trap. They could also attempt identity theft or even carry out unauthorized transfers using the leaked banking data. With so few barriers between the attackers and their victims, the impact could be severe and affect thousands of people.