620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts | InfoWatch

You are here

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller. Dubsmash, Armor Games, 500px, Whitepages, ShareThis, and more said to be up for grabs for $$$s in BTC, The Register reports.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.

These silos of purportedly purloined information are aimed at spammers and credential stuffers, which is why copies are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into accounts on other websites where the users have used the same credentials.

So, for example, someone buying the purported 500px database could decode the weaker passwords in the list, because some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked password combinations to log into, say, strangers' Gmail or Facebook accounts, where the email address and passwords have been reused.

All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data. The records were swiped mostly during 2018, we're told, and went on sale this week.

The seller, who is believed to be located outside of the US, told us the Dubsmash data has been purchased by at least one person.

Some of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches. In other words, this is the first time we've heard these other sites have been allegedly hacked. This also marks the first time this data, for all of the listed sites, has been peddled publicly, again if all the sellers' claims are true.

A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018. ShareThis, CoffeeMeetsBagel, 8fit, 500px, DataCamp, and EyeEm also confirmed their account data was stolen from their servers and put up for sale this week in the seller's collection. This lends further credibility to the data trove.

Last week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted them, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their account data was potentially being touted on the dark web.

Over the weekend, the underground bazaar was mostly knocked offline, apparently by a distributed denial-of-service attack. On Monday this week, the underworld marketplace returned to full strength, and the seller added the rest of the sites. The Register contacted all of them to alert them, and ask for a response. Meanwhile, Dream Market has been smashed offline again.

The seller told The Register they have as many as 20 databases to dump online, while keeping some others back for private use, and that they have swiped roughly a billion accounts from servers to date since they started hacking in 2012.

Their aim is to make "life easier" for hackers, by selling fellow miscreants usernames and password hashes to break into other accounts, as well as make some money on the side, and highlight to netizens that they need to take security seriously – such as using two-factor authentication to protect against password theft. The thief also wanted to settle a score with a co-conspirator, by selling a large amount of private data online.

The hacker previously kept stolen databases private, giving them only to those who would swear to keep the data secret.

"I don't think I am deeply evil," the miscreant told us. "I need the money. I need the leaks to be disclosed.

"Security is just an illusion. I started hacking a long time ago. I'm just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I'll make hacking easier than ever."