A massive database containing hundreds of thousands stolen gift cards from thousands of brands has been offered for sale on a top-tier Russian-language underground forum.

The seller claimed that the database included 895,000 gift cards from 3,010 companies, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The total value of offered gift cards has been estimated at $38 million, according to Gemini Advisory.

The seller put the data on auction with a starting price of $10,000 and a buy-now price of $20,000, and within days it was sold to another threat actor. Soon after, the same seller put up for sale another database containing 330,000 credit and debit cards. The data included payment card number, expiration date, and bank name, but did not include the CVV or cardholder name. This time an auction started at $5,000, with a buy-now price of $20,000, and the data was also sold within days.

The researchers believe that the both databases likely came from a breach of the now-defunct online gift card shop Cardpool.com that occured between February 4, 2019 and August 4, 2019.

Gemini Advisory also pointed out that the both sets of cards were offered at prices far below the typical price for payment and gift cards - at roughly 0.05% of the card value, although usually compromised gift cards sell for 10% of the card value. It means that the threat actor could exaggerate the total value of gift cards to boost sales, or that the gift card validity rate was likely lower, meaning that a significant portion of them were inactive or had a low balance.

According to the researchers, the hacker selling the both sets of cards is a prolific Russian-speaking actor who has been active on top-tier and mid-tier dark web forums since 2010. The hacker’s previous offerings included large collections of stolen payment card data, databases, and personally identifiable information (PII) of U.S. residents.