The hacker who previously sold 620 million accounts from 16 companies came back with another 127 million records and put them up for sale on the Dark Web

Earlier this week, a hacker was selling over 620 million user accounts that were stolen from 16 different companies.[1] The perpetrator, who goes by the name “gnosticplayers,” uploaded another batch of information for sale, and it now contains another 127 million records that were put up for grabs on the site Dream Market located on the anonymous Tor network.

The first batch of data, which included names, email addresses, and encrypted passwords, was listed for $20,000 in bitcoin. According to the Register, some entries also included additional data, but no financial information was included:[2]

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.

The black market site that hosts the data listing went live back in 2013 and since then became a den for various types of thugs. Dream Market provides access to many illegal items, such as drugs and weapons, and it is also widely used by cybercriminals to sell/buy malware or personal data like credit card info, login details, names, social security numbers, etc.

The “gnosticplayers” removed the databases shortly after publishing them to prevent multiple customers buying the same information which can consequently result in a leak and lose the value of data. The note from the hacker read the following:

All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don't worry, next round of breaches coming soon.

Companies from different industries involved in the data leak

Security researchers believe[3] that the same security vulnerability could have been used to access data, as sic out of 16 databases were using open-source PostgreSQL database software. If hacker(s) managed to exploit the flaw successfully, it would allow them to create a dump file and simply download it.

The companies from the first batch included EyeEm, Whitepages, MyHeritage, MyFitnessPal, ShareThis, Artsy, Bookmate, and a few others. This time, the criminal(s) listed the following data for $14,500 in bitcoin:

File sharing service Ge.tt – 1.83M records

Gaming site Roll20 – 4M records

Online video game Stronghold Kingdoms – 5M records

Booking site Ixigo – 18M records

Video streaming site YouNow – 40M records

Home interior design site Houzz – 57M records

Per care service PetFlow – 1M records

Cryptocurrency exchange site Coinmama – 450,000 records

While all of the passwords were scrambled and needed to be decoded in order to use, Ixigo and PetFlow used an outdated MD5 hashing algorithm which is relatively easy to decipher.

From all the listed companies, only Houzz publicly announced[4] the data breach, while others did not make any official publications apart from those that are coming from the press.

The stolen data can be used for malicious purposes

The accumulated data can be bought by anybody and be used for such goals as Credential stuffing. Such attacks become extremely prevalent recently, with such hacking groups emerging like Magecart that use credential stuffing to steal financial data of such organizations like Ticketmaster[5] or Shopper Approved.

According to The Register, who contacted gnosticplayers, claimed that the perpetrator still has another 20 databases that will be published on the Dark Web, totaling in around a billion accounts from various sites. The criminal(s) will also withhold several more databases for personal use.

As evident, the enormous data leakage will not stop, as hackers are always going to find new vulnerabilities to exploit. However, the measures that can be used to reduce the number of such attacks include organizations investing in the security sector. Additionally, users should remember to change their passwords frequently and use such measures as two-factor authentication.