620 million accounts stolen from 16 hacked websites (Dubsmash, Armor Games, 500px, Whitepages, ShareThis) available for sale on the dark web
The Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web.
The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.
Data was collected from data breaches of popular websites including:
- Dubsmash (162 million);
- MyFitnessPal (151 million);
- MyHeritage (92 million);
- ShareThis (41 million);
- HauteLook (28 million);
- Animoto (25 million);
- EyeEm (22 million);
- 8fit (20 million);
- Whitepages (18 million);
- Fotolog (16 million);
- 500px (15 million);
- Armor Games (11 million);
- BookMate (8 million);
- CoffeeMeetsBagel (6 million);
- Artsy (1 million);
- DataCamp (700,000).
While some of the above websites are known to have been hacked (i.e. MyHeritage, MyFitnessPal) for some of them it is the first time that the security community was informed of their breaches.
Journalists at The Register have analyzed account records and confirmed they appear to be legit. Spokespersons for MyHeritage and 500px confirmed the authenticity of the data.
Most of the data included in the dump consist of account holder names, email addresses, and hashed passwords (in some cases password are hashed with the MD5 algorithm that makes it easy for hackers to decrypt).
Journalists pointed out that depending on the specific website there are other information in the archives, including location, personal details, and social media authentication tokens. The data doesn’t include financial information.
The information could be used by threat actors to target users of hacked websites and conduct several malicious activities.
“All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data.” states the post published by The Register. “The records were swiped mostly during 2018, we’re told, and went on sale this week.”
The journalists confirmed that they received the information that the Dubsmash data has been purchased by at least one individual.
The seller seems to be located outside of the US, at least in one case he attempted to blackmail the owner of the website asking money to avoid the sale of data.
The seller told The Register that he stolen roughly a billion accounts from servers to date since he started hacking in 2012.