Blue Monday in infosec: 620 million accounts across 16 'hacked' websites now for sale on dark web, seller claims

By Chris Williams, Editor in Chief 11 Feb 2019 at 23:55

Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today in bulk on the dark web, according the data trove's seller.

For less than $20,000 in Bitcoin, the following purportedly pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor dark web:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register at least appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.

These silos of seemingly purloined information are aimed at spammers and credential stuffers, which is why they are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into accounts on other websites where the users have used the same credentials.

So, for example, someone buying the purported 500px database could decode the weaker passwords in the list because some are allegedly using the obsolete MD5 algorithm, and then try the email address and cracked password combinations to log into, say, strangers' Gmail or Facebook accounts, where the email address and passwords have been reused.

All of the databases are right now being sold separately by one hacker, who says he or she typically exploited vulnerabilities within the websites to gain remote-code execution and then extract user account data. The records were swiped mostly in 2018, and went on sale this week.

The seller, who is believed to be located outside of the US, claims the affected sites should be aware of the data thefts one way or another and patched their systems.

We're also told the Dubsmash data has been purchased by at least one person.

Some of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches.

In other words, if the databases are legit, then this is the first time we've heard these other sites have been hacked. This also marks the first time this data, for all of the listed sites, has been sold publicly, again if the sellers' claims are true.

A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world in 2018. This lends further credibility to the data trove.

Last week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted them, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their allegedly stolen account data was being touted on the dark web.

Over the weekend, the underground bazaar was mostly knocked offline apparently by a distributed denial-of-service attack. On Monday this week, the underground marketplace returned to full strength, and the seller added the rest of the sites. We contacted all of them for a response. Meanwhile, Dream Market has been smashed offline again.

Here's a summary of what is, or briefly was, purported to be on sale:

  • Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total

    11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed password, username, email address, language, country, plus for some, but not all the users, the first and the last name. This alleged security breach has not been publicly disclosed by the business. Dubsmash is a video-messaging application popular with millennials and younger folk.

    Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner Simone McCormick told us:

  • 500px: 14,870,304 accounts for 0.217 BTC ($780) total

    1.5GB of data taken July 2018. Each account record potentially contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first name, last name, birthday, gender, country, city, and Facebook ID. This alleged security breach has not been publicly disclosed by the business. 500px is a social-networking site for photographers and folks interested in photography.

    "Our engineering team is currently investigating and if we can confirm there was a breach we will take the necessary steps to inform our users as per GDPR standards," 500px spokesperson Stephanie Newell told us.

  • EyeEm: 22,360,765 accounts for 0.289 BTC ($1,040) total

    1.7GB of data taken February 2018. Each account record contains an email address and SHA1-hashed password, although about three million are missing an email address. This alleged security breach has not been publicly disclosed by the business. EyeEm is an online hangout for photographers. A spokesperson did not respond to a request for comment.

  • 8fit: 20,180,667 accounts for 0.2025 BTC ($728) total

    1.9GB of data taken July 2018. Each account record contains an email address, bcrypted-hashed password, country, country code, Facebook authentication token, Facebook profile picture, name, gender, and IP address. This alleged security breach has not been publicly disclosed by the business. 8fit offers customized workout and diet plans for healthy fitness types.

    8fit CEO Aina Abiodun told us her team is investigating, adding: "I need to get back to you on this and can't comment immediately."

  • Fotolog: 16 million accounts for 0.52 BTC ($1,872) total

    5.9GB of data taken in December 2018. There are five SQL databases containing information including email addresses, SHA256-hashed passwords, security questions and answers, full names, locations, interests, and other profile information. This alleged security breach has not been publicly disclosed by the business. Fotolog is another social network for photography types. A spokesperson did not respond to a request for comment.

  • Animoto 25,402,283 accounts for 0.318 BTC ($1,144) total

    2.1GB of data taken 2018. Each account record contains a user ID, SHA256-hashed password, password salt, email address, country, first and last name, and date of birth. This security breach was publicly disclosed by the business in 2018, though this is the first time the data has gone on sale, we understand.

    "We provided notification about an incident potentially affecting customers back in August 2018 after we identified unusual activity on our system," spokesperson Rebecca Brooks told us. "After identifying the suspicious activity, we immediately took the systems offline and implemented numerous security controls to help prevent an incident like this from happening again."

  • MyHeritage 92,284,478 accounts for 0.549 BTC ($1,976) total

    3.6GB of data taken October 2017. Each account record contains an email address, SHA1-hashed password and salt, plus the date of account creation. This security breach was publicly disclosed by the business last year, though this is the first time the data has gone on sale, we're told. No DNA or similar sensitive information was taken. MyHeritage is a family-tree-tracing service that studies customers' genetic profiles.

    A spokesperson told us:

  • MyFitnessPal 150,633,038 accounts for 0.289 BTC ($1,040) total

    3.5GB of data taken February 2018. Each account record contains a user ID, username, email address, SHA1-hashed password with a fixed salt for the whole table, and IP address. This security breach was publicly disclosed by the business last year. This may be the first time it has gone on public sale. Under-Armor-owned MyFitnessPal does what it says on the tin: it's an app that tracks diet and exercise. A spokesperson did not respond to a request for comment.

  • Artsy 1,070,000 accounts for 0.0289 BTC ($104) total

    184MB of data taken April 2018. Each account record contains an email address, name, IP addresses, location, and SHA512-hashed password with salt. This alleged security breach has not been publicly disclosed by the business. Artsy is an online home for collecting and organizing art. A spokesperson did not respond to a request for comment.

  • Armor Games 11,013,617 accounts for 0.2749 BTC ($988) total

    1.8GB of data taken late December 2018. Each account record contains a username, email address, SHA1-hashed password and salt, date of birth, gender, location, and other profile details. This alleged security breach has not been publicly disclosed by the business. Armor Games is a portal for a ton of browser-based games. A spokesperson did not respond to requests for comment.

  • Bookmate 8,026,992 accounts for 0.159 BTC ($572) total

    1.7GB of data taken July 2018. Each account record contains a username, potentially an email address, SHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged security breach has not been publicly disclosed by the business. Bookmate makes book-reading apps. A spokesperson did not respond to a request for comment.

  • CoffeeMeetsBagel 6,174,513 accounts for 0.13 BTC ($468) total

    673MB of data taken December 2017. Each account record contains typically a full name, email address, age, registration date, gender, and what is claimed to be a SHA256-hashed password. This alleged security breach has not been publicly disclosed by the business. CoffeeMeetsBagel is a dating website.

    A spokesperson for the CoffeeMeetsBagel told us: "We are not aware of a breach at this time, but our security team is looking into this now." They also said they do not store passwords, and use third-party sites – cough, Facebook – for authentication. It may well be that these hashes date back to before the site started using Facebook for logging in.

  • DataCamp 700,000 accounts for 0.013 BTC ($46.8) total

    82MB of data taken December 2018. Each account record contains an email address, bcrypt-hashed password, location, and other profile details. This alleged security breach has not been publicly disclosed by the business. DataCamp teaches people data science and programming. A spokesperson told us they are "looking into" the online sale.

    "We take this matter seriously and want to further verify if this is indeed the case," said the biz's Lode Vanacken. "We will also investigate access and audit logs to see if we can trace back any potential unauthorised access. If indeed further investigation shows this data to be valid we will communicate with you and with the affected end-users."

  • Hautelook 28 million accounts for 0.217 BTC ($780) total

    1.5GB of data taken during 2018. Each account record contains an email address, bcrypt-hashed password, and name. This alleged security breach has not been publicly disclosed by the business. Hautelook is an online store for fashion, accessories, and so on. A spokesperson did not respond to a request for comment.

  • Sharethis 41,028,098 accounts for 0.217 BTC ($780) total

    2.7GB of data taken early July 2018. Each account record contains a name, username, email address, DES-hashed password, gender, date of birth, and other profile info. This alleged security breach has not been publicly disclosed by the business. Sharethis makes a widget for sharing links to stuff with friends. A spokesperson did not respond to a request for comment.

  • Whitepages 17,775,679 accounts for 0.434 BTC ($1560) total

    2.9GB of data taken 2016. Each account record contains an email address, SHA1- or bcrypt-hashed password, and first and last name. This alleged security breach has not been publicly disclosed by the business. Whitepages is an online telephone and address directory. A spokesperson did not respond to a request for comment.

The seller told The Register they have as many as 20 databases to dump online, while keeping some other ones back for private use, and that they have swiped roughly a billion accounts from servers to date since they started hacking in 2012.

Their aim is to make "life easier" for hackers, by selling fellow miscreants usernames and password hashes to break into other accounts, as well as make some money on the side, and highlight to netizens that they need to take security seriously – such as using two-factor authentication to protect against password theft. The thief also wanted to settle a score with a co-conspirator, by selling a large amount of private data online.

The hacker previously kept stolen databases private, giving them only to those who would swear to keep the data secret.

"I don't think I am deeply evil," the miscreant told us. "I need the money. I need the leaks to be disclosed.

"Security is just an illusion. I started hacking a long time ago. I'm just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I'll make hacking easier than ever." ®