620 Million Stolen User Data Hits The Dark Web

A new shocking report revealed that almost 620 million online account data from 16 famous websites are on sale on the dark web. It’s been sold out for less than $20,000 in Bitcoin.

The following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

The stolen information mainly includes account holders names, email addresses and passwords and some of the other information are location, personal details, and social media authentication tokens. These stolen passwords are but hashed, or one-way encrypted, and must therefore be cracked before they can be used. But there appear to be no payment or bank card details in the sales listings.

The price of the stolen data appears to be relatively cheap because the information is targeted at spammers and credential stuffers who could use the information to get access to other sites for which the users use the same usernames and passwords. According to the Register report “All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data. The records were swiped mostly during 2018, we're told, and went on sale this week.”

Some of the websites such as MyHeritage, MyFitnessPal, and Animoto were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches. The seller, who is believed to be located outside of the US, revealed that the Dubsmash data has been purchased by at least one person.

However, because data breaches have become some common, a purchaser could cross-reference email addresses with previous breaches. If a person has reused a password, their account may be compromised. As a precaution, if you've used any of the affected services, it's probably best to change your password.