XM Group

Summary

XM Group, a Sydney-based international investment firm established in 2009, was allegedly breached in May 2024 with data from 438,522 customers posted to a hacking forum. The breach exposed customer trading information and personal details.

Attack Vector

A threat actor using the handle "wht" posted customer data to a hacking forum on May 18, 2024. The full dataset in CSV format was made available only to users with upgraded forum memberships. The method of data acquisition was not disclosed by the poster.

Consumer Impact

The exposed data includes full names, gender, email addresses, dates of birth, phone numbers, street names, cities, postcodes, AUD trading values, and assets being traded. Sample data showed individual trading values exceeding $5,000 per person. Analysis revealed that all 11 email addresses in the sample data had been previously exposed in other breaches, particularly the 2011 Oxfam Australia breach, suggesting potential for credential correlation across multiple breaches.

Response

No public response from XM Group has been documented at the time of breach disclosure. XM Group has served more than 10 million clients with traders from over 190 countries, making the 438,522 affected accounts represent approximately 4% of their total client base.