A hacker claims to have stolen 617 million online accounts, which they are selling on the dark web.

The cyber thief claims to be hawking the stolen account databases on the Dream Market, located in the Tor network. According to the hacker, for less than $20,000 (£15,500) Bitcoin, account details can be bought from the following websites:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases appear to be genuine according to the Register, which stated it has seen the data. Compromised data includes account holder names, email addresses, and passwords that are hashed or one-way encrypted and must, therefore, be cracked before they can be used.

Recommended: Airbus Confirms Hack of Commercial Aircraft Data

Depending on the website, other details include location, personal details, and social media authentication tokens, although it seems that no payment details or bank details in the sales listing.

Spammers and credential stuffers are the most likely buyers to be interested in these accounts, which is why the copies have such a low price tag. Stuffers would use the usernames and passwords from one site to log into accounts on other websites where the users have used the same credentials.

The hacker has said that the accounts were mainly stolen in 2018, and that he/she had exploited security vulnerabilities within web apps to gain remote-code execution and extract user account data.

While some websites involved were known to be hacked, such as MyHeritage, MyFitnessPal and Animoto, the others are seemingly newly discovered security breaches. Furthermore, if the seller’s claims are true, this is the first time this data, from all the named websites, has been sold publicly online.

The unscrupulous vendor confirmed to the Register that the Dubsmash data has been purchased by at least one person. Some websites have already confirmed that the data is legit, thus giving credence to the hacker’s claims. MyHeritage confirmed samples from its now-for-sale data are the real deal.

CoffeeMeetsBagel, 8fit, 500px, DataCamp, and EyeEm also confirmed their account data was lifted from their servers and put up for sale this week. According to the Register, when it spotted the listings it notified Dubsmash, Animoto, EyeEm, 8fit, Fotolog and 500px that their data was potentially being sold on the dark web.

Alongside the 20 databases being advertised, the hacker told the Register that they were keeping some others back for private use and that they have pilfered roughly a billion accounts from servers to date since they started hacking in 2012.

Recommended: Investigation Underway After MPs Targeted by ‘Malicious Hack’

Apparently, the hacker’s goals are to make life easier for fellow cyber criminals, make money on the side, settle a score with a with a co-conspirator, and to ‘nobly’ highlight to netizens they need to take security seriously.

“I don’t think I am deeply evil,” the hacker told the Register. “I need the money. I need the leaks to be disclosed. Security is just an illusion. I started hacking a long time ago.

“I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

Commenting on the situation, cyber security expert and Dashlane CEO, Emmanuel Schalit, told DIGIT: “5-10 years ago, consumer cybersecurity was about protecting your device with and anti-virus software or an anti-spam filter. Today your data is not only on your device, it is in the cloud and the last/only line of defence there is likely to be your passwords.

“Encrypted passwords are among the data that has been leaked here, and even though they must be cracked before they are able to be used, this still presents a big problem.

“Passwords are to the digital age what seatbelts were to the auto industry. They protect your identity, finances and other critical personal information – so should they be cracked and used, all this data could be used for nefarious means.

“Given the sheer quantity of this data on sale, we would advise all consumers, not just those affected, to change their passwords immediately, across all of their accounts. For those affected, this is even more important.

“You may not be able to control the security architecture of the digital services you use every day, but you can take measures to make sure you have optimal password hygiene.

“Some breaches, as we see here, aren’t discovered or disclosed for months or even years, so in addition to this, changing your passwords regularly is crucial, as you never know when your account might have been exposed.”

Like this: Like Loading...