Photocreate Data Breach Exposes 8.6 Million Customer Records in Japan

A threat actor using the alias haxorsss has claimed responsibility for the Photocreate data breach, offering a database of 8.6 million customer records allegedly exfiltrated from Photocreate Co., Ltd. and its associated domains. The actor claims the stolen information spans from 2008 to 2025 and includes personal data such as names, addresses, email addresses, passwords, phone numbers, and birthdates. The breach was reportedly carried out in July 2025 and later posted for sale on a dark web forum in early November.

Photocreate, a Tokyo-based photography and event management company, operates several platforms including allsports.jp, snapsnap.jp, comiruco.snapsnap.jp, and photochoice.jp. The company manages photo sales, event photography, and digital media distribution for schools, sports organizations, and corporate clients throughout Japan. If verified, this breach represents one of the largest exposures of personal information in Japan’s photography and event services industry to date.

Threat Actor’s Claims

According to the threat actor’s forum post, the breach involved two major datasets:

• members.csv – 8.6 million rows of user data
• member_addresses.csv – 7 million rows of address records

The post includes screenshots displaying samples of the database structure, showing fields such as email, hashed_password, decrypted_password, name, address, mobile_email, and birthdate. The actor is offering the dataset for $5,000, payable in Bitcoin or Monero (XMR), claiming the sale will be exclusive to one buyer. The message also states that the listing will be deleted once the dataset is sold.

The seller asserts that the stolen data originates from multiple connected domains within the Photocreate ecosystem, indicating a potentially wide compromise across its web infrastructure. They also reference a prior statement issued by Photocreate in July 2025, in which the company confirmed unauthorized access related to a phishing campaign but denied any customer data leakage. The threat actor disputes that claim, saying the company “underreported the incident” and that full user data was exfiltrated.

Background on the Breach

The post by haxorsss states that they breached Photocreate in July 2025. The data is said to include customer information dating back 17 years, from 2008 to 2025. The attacker posted a sample containing 10,000 randomized records to verify authenticity. Each record includes personally identifiable information (PII) and what appears to be both hashed and decrypted passwords, implying either poor password security practices or a secondary compromise of stored credentials.

The actor claims that no photo files or image archives were included in the breach, suggesting the exfiltration targeted only databases containing user information. This distinction may indicate an initial intrusion focused on backend data management systems rather than image storage servers.

In the post, haxorsss wrote: “I breached them in July 2025. They previously released a statement. No photo database is exfiltrated, only users’ name, address, email, password, phone, and date of birth.” The seller further added that the data will be removed from the forum once a private sale is completed.

Evidence and Verification

At the time of writing, the Photocreate data breach remains pending verification. However, dark web analysts have confirmed that the data sample includes credible Japanese names, email domains, and structural formatting consistent with real customer records. Some records appear to include legacy account information from early years of operation, further lending credibility to the claim.

Photocreate had acknowledged unauthorized access in an official July 1, 2025 statement, attributing it to a phishing campaign that compromised internal systems. The company said at the time that no evidence of customer data leakage was found. However, the new listing suggests that the attacker may have maintained access for months before selling the database. If true, this could indicate a prolonged compromise of Photocreate’s internal databases.

Scope of Impact

If the claims are verified, the Photocreate data breach could have exposed the personal information of millions of customers across Japan. The stolen data includes sensitive identifiers that could be used for identity theft, phishing scams, or credential stuffing attacks. Many of the impacted users are believed to be families, students, and event participants who used Photocreate’s services for school and sports photography orders.

The data also reportedly contains decrypted passwords, which heightens the severity of the incident. Attackers could use these credentials to gain access to other online accounts if users reused passwords across platforms. The exposure of phone numbers and birthdates further increases the risk of targeted fraud attempts.

Linked Domains and Cross-Platform Exposure

The attacker’s post references several affiliated domains associated with Photocreate’s operations, including:

• allsports.jp
• snapsnap.jp
• comiruco.snapsnap.jp
• photochoice.jp

This suggests that multiple subdomains or related business services were connected through a shared database or compromised credentials. The inclusion of both main and subdomain entries indicates a large-scale data structure likely integrated through common authentication systems. Such consolidation often leads to greater damage during breaches, as a single compromised access point can affect multiple linked services.

Threat Actor Profile

The seller, haxorsss, has a limited but visible presence on underground forums, with a history of selling small-to-medium datasets related to Asian and European web platforms. Their forum account was created in May 2025, and the Photocreate data breach appears to be one of their largest listings to date. They list the database as “exclusive to one buyer,” a method commonly used to maintain value for sensitive or region-specific data.

By offering the breach for a fixed price of $5,000 in cryptocurrency, the actor signals a financially motivated intent rather than hacktivism. The structured dataset and inclusion of decrypted passwords also suggest prior access to administrative credentials or internal developer systems.

Legal and Regulatory Implications

If confirmed, the breach could lead to significant regulatory action under Japan’s Act on the Protection of Personal Information (APPI). Photocreate may be required to notify affected users and report the incident to data protection authorities. The potential exposure of decrypted passwords and long-term account histories could result in administrative fines and mandatory security audits.

In addition, the company may face reputational damage and legal challenges from customers who entrusted it with personal and family-related information. The inclusion of data from school and sports events raises ethical concerns, as much of the data may belong to minors or families who were unaware their information would be stored for extended periods.

Mitigation and Recommendations

Security experts recommend that affected users immediately change their passwords on Photocreate and any other platforms using similar credentials. Users should also enable multi-factor authentication where possible and monitor for phishing attempts or suspicious messages. Companies managing customer data at similar scale should perform internal audits to ensure encryption and storage policies comply with Japan’s privacy regulations.

The Photocreate data breach underscores the long-term risks of storing personal data across multiple connected domains without sufficient isolation or encryption. As the investigation continues, users and clients are urged to remain vigilant for future disclosures or phishing campaigns leveraging the leaked information.

For continued coverage of the Photocreate data breach and similar incidents, visit Botcrawl’s data breaches and cybersecurity sections.