A recent announcement from a hacker known as “Blinkers” has raised alarm bells regarding a significant data breach affecting Tuipoint, a digital booking platform for barbers based in New Zealand. The alleged breach purportedly exposes the personal information of over 414,000 users, presenting a serious security risk to individuals utilizing the service.
Tuipoint operates as a smart queuing and booking application tailored for barbershops, extending its reach across both New Zealand and the United Kingdom. The threat actor’s claims emerged in a post on a well-known hacking forum, where they stated they possess the entire user database from Tuipoint. In the post, Blinkers provided what they claimed were samples of the compromised data, including user names, email addresses, and phone numbers.
Of particular concern is that some entries in the leaked database are reportedly dated as recently as March 5, 2025. Cyber Daily has taken steps to verify the authenticity of some email addresses found within the dataset and has identified that while a portion has been previously exposed in prior incidents, numerous others appear to be unique to this breach. This finding underscores the ongoing risk posed by data leaks in the current digital landscape.
In response to the emerging breach, Cyber Daily has reached out to Tuipoint for further clarification and information regarding the incident. The company has yet to issue a public statement addressing the claims or the specific measures it intends to implement in light of this potential compromise.
This incident is reminiscent of security challenges faced by other platforms. For instance, Zello, a widely-used push-to-talk application, recently requested users to reset their passwords due to a security incident that has not been fully explained. Users were advised to change passwords for any accounts created before November 2, 2024, suggesting that similar vulnerabilities could have allowed unauthorized access to user credentials. The implications of Zello’s request indicate the possibility of personal data exposure, potentially involving tactics such as credential stuffing or social engineering attacks.
When analyzing the potential tactics and techniques that may have been utilized in the Tuipoint breach, it is important to consult the MITRE ATT&CK Framework for context. Initial access could have been achieved through various means, including phishing or exploitation of vulnerabilities. Once access was gained, adversaries may have employed techniques associated with data exfiltration to compile user information for public or private sale.
Given the increasing frequency of cyber incidents affecting digital platforms, business owners and users alike must remain vigilant regarding their cybersecurity practices. The Tuipoint breach serves as a stark reminder of the vulnerabilities that exist within digital infrastructures and the necessity of robust security measures to protect sensitive user data in an increasingly interconnected world. As this story develops, continued monitoring of Tuipoint’s response and further investigations into the breach will be crucial for assessing the broader implications for users and the industry at large.
