the dataset that rex mundi has found on the website of easypay which has some secure and some older very unsecure parts (without even encrypted logins) are passwords that are combined with emailaddresses as login
so this is one possibility especially because there is NO ENCRYPTION on that login (how is this still possible...) and there are other login pages and forms like that on this site without any encryption
we didn't test for any sql injection on any site as this would be illegal under Belgian law and we don't do anything illegal - because so many people hate us that they would love to prosecute us and silence us (to be able to keep on doing their work as if nothing happened and you would never know)
the biggest question is if all the users have been informed that their logins and passwords are compromised and should be reset and that they should change their password if they use it anywhere else with the same emailaddress
they are lucky it could have been much worse, but I have also thought that Rex Mundi was always in for a quickie and has not proven that he is for big complicated longterm operations using different entrees on websites or combining vulnerabilities and mistakes (at least this is not the impression I have untill know but he can also try to convince me of the contrary). At the other side why would you do such operations and take such risks of leaving so many traces behind in such an operation if there are so many websites who are so badly written and maintained that in a few minutes you just get the data.
It is like walking into a casino with rows of cash machines and sometimes you are lucky and sometimes you are not. We don't know how many websites have paid and we will probably never know because no data has been published about them. We only know of the hacked or breached sites because they don't want to pay or not immediately. But at the other side his price has gone up so enormously that paying has become something much more difficult for some companies. When we was asking only a few thousand dollars, most companies could keep it away from the board of directors and hide it in a consultancy or other contract. THis is with the stringent rules of financial rules much more difficult if you are asking 30.000 Euro or much more. But it also shows that some companies have paid so much without much resistance and that has increased the price for all the others as well.
As a reminder I have nothing to do with this group or guy and only know them through twitter.