This is not the first time this has happened, in April 2016 a similar vulnerability in their API led to 13,000 messages being stolen by a miscreant. The legal and privacy impact of the breach were never quantified.

As the world’s largest darknet market since 2015 and thus largest target for law enforcement and hackers, AlphaBay is notable for having a comprehensive privacy policy published in May of 2016 covering a number of key points. Most importantly:

The buyer and seller notes in an order are kept for 30 days after completion of the order

The announcement indicates the following information was compromised:

1) Marketplace PMs not older than 30 days, up to ID 2609452. IDs are not always sequential, as 218,000 messages were obtained.

*** Conversations who did not receive a message in the last 30 days were not

affected, as they were automatically purged *****

2) List of user IDs + username (nothing more).

Users who did not PGP encrypt their address information to the vendor will have their name and address (or pseudonym and drop address) in the hands of the attacker, opening them up to potential extortion.

Users with distinct user names they may have used elsewhere on the web risk being identified as darknet market users and step closer towards trouble.

Don’t mix your darknet user name with other handles!

However compared to a typical ecommerce data breach, the fact markets do not use email addresses for user registrations renders the data breach much lower risk in terms of identifying and compromising site users.

Whilst AlphaBay suggests the attacker was financially motivated:

The attacker was paid for his findings, and agreed to tell us the methods used

to extract such information.

T̶h̶e̶ ̶e̶x̶i̶s̶t̶e̶n̶c̶e̶ ̶o̶f̶ ̶t̶h̶i̶s̶ ̶f̶l̶a̶w̶ ̶a̶n̶d̶ ̶t̶h̶e̶ ̶l̶i̶m̶i̶t̶e̶d̶ ̶d̶i̶s̶c̶l̶o̶s̶u̶r̶e̶ ̶f̶r̶o̶m̶ ̶A̶l̶p̶h̶a̶B̶a̶y̶ ̶d̶o̶e̶s̶n̶’̶t̶ ̶r̶u̶l̶e̶ ̶o̶u̶t̶ ̶t̶h̶e̶ ̶p̶o̶s̶s̶i̶b̶i̶l̶i̶t̶y̶ ̶t̶h̶e̶ ̶f̶l̶a̶w̶ ̶m̶a̶y̶ ̶h̶a̶v̶e̶ ̶b̶e̶e̶n̶ ̶u̶t̶i̶l̶i̶s̶e̶d̶ ̶b̶y̶ ̶h̶a̶c̶k̶e̶r̶s̶ ̶o̶r̶ ̶l̶a̶w̶ ̶e̶n̶f̶o̶r̶c̶e̶m̶e̶n̶t̶ ̶f̶o̶r̶ ̶m̶o̶n̶t̶h̶s̶ ̶o̶r̶ ̶e̶v̶e̶n̶ ̶y̶e̶a̶r̶s̶ ̶p̶r̶e̶v̶i̶o̶u̶s̶l̶y̶.̶ ̶U̶n̶t̶i̶l̶ ̶A̶l̶p̶h̶a̶B̶a̶y̶ ̶c̶a̶n̶ ̶o̶f̶f̶e̶r̶ ̶s̶u̶c̶h̶ ̶a̶s̶ ̶r̶e̶f̶u̶t̶a̶t̶i̶o̶n̶ ̶i̶t̶ ̶c̶o̶u̶l̶d̶ ̶b̶e̶ ̶r̶e̶a̶s̶o̶n̶a̶b̶l̶e̶ ̶t̶o̶ ̶a̶s̶s̶u̶m̶e̶ ̶t̶h̶a̶t̶ ̶a̶l̶l̶ ̶n̶o̶n̶-̶e̶n̶c̶r̶y̶p̶t̶e̶d̶ ̶c̶o̶m̶m̶u̶n̶i̶c̶a̶t̶i̶o̶n̶s̶ ̶a̶n̶d̶ ̶a̶l̶l̶ ̶m̶e̶t̶a̶ ̶d̶a̶t̶a̶ ̶h̶a̶s̶ ̶b̶e̶e̶n̶ ̶c̶o̶m̶p̶r̶o̶m̶i̶s̶e̶d̶ ̶u̶p̶ ̶u̶n̶t̶i̶l̶ ̶t̶h̶i̶s̶ ̶m̶o̶m̶e̶n̶t̶.̶

Indeed users were quick to speculate:

If we assume that /u/Cipher000 worked alone and was able to code the bot in a few days it would be trivial for law enforcement to do that. As is always the case, anything sensitive should be encrypted because you never know what exploits the three letter agencies know about.

Update: AlphaBay support responded to my inquiry, indicating that the breach has only been exploited from a single attacker, as they have inspected their web logs:

The web logs show that it wasn’t exploited until 4 days ago. The attacker then started dumping messages, and once he announced it, we paid him and immediately closed the loop.

Whilst AlphaBay is aware this will affect consumer confidence, their public disclosure of the breach is designed to reassure their vendors and consumers to continue doing business there and plays down the impact and risk associated with the breach.

Thanks to everyone for being a loyal customer, and to apologize to the community, we will be offering 20% discount on Escrow fees for the next week on all marketplace orders.

Main AlphaBay Reddit thread announcement