620 million stolen online accounts available to buyers on the Dark Web
13 February 2019
Over 620 million stolen online accounts have been put up for sale on the Dream Market cyber-souk, a Dark Web marketplace which can be accessed using Tor. The accounts contain names, email addresses, and passwords of millions of people from across the globe.
While 162 million accounts were stolen from Dubsmash, 151 million were stolen from MyFitnessPal, 92 million from MyHeritage, 41 million from ShareThis, 28 million from HauteLook, 25 million from Animoto, 18 million from Whitepages, 16 million from Fotolog, 11 million from Armor Games, and 8 million such accounts were stolen from BookMate.
Millions of online accounts account details of millions of people were also stolen from other platforms such as Artsy, CoffeeMeetsBagel, DataCamp, 500px, and EyeEm. The passwords for all online accounts are hashed using the age-old MD5 algorithm and can be decrypted using standard software by those purchasing such accounts on the marketplace.
According to The Register, accounts stolen from each of the above-mentioned online platforms are stored in separate databases on the Dark Web marketplace that can be purchased by scammers or cyber criminals for less than $20,000 in Bitcoin. Some of these online accounts contain social media authentication tokens and location of users as well but don’t feature payment card information or other financial details of compromised users.
Data dump will further bolster credential-stuffing attacks
It is believed that those purchasing such online accounts will be able to carry out more credential-stuffing attacks on other popular online platforms to steal more user data. Such data can either be used for identity fraud or sold on Dark Web marketplaces in exchange for money.
“There appears to be a disconcerting trend developing of combining historic data breaches and packaging them up for sale on the dark web, as was evidenced earlier this year with 773 million records known as Collection #1 published. What is notable about this recent set of data is that there are several breaches from within the last year, some of which have already been publicly reported,” said Gavin Millard, VP of intelligence at Tenable.
“As credential stuffing attacks are becoming increasingly more common, repositories like this will be invaluable. For instance, dating app and website OKCupid [whose parent company is Match Group Inc] has been dealing with reports from users of their accounts being hacked. The company has denied the claim that their website was compromised making it very likely that the account takeovers users are experiencing are the result of credential stuffing attacks.
“Some companies have taken some novel steps to try to thwart credential stuffing attacks against their users by obtaining the breached data themselves and cross-referencing it against their own database. They can then warn users of password reuse or issue a password reset to ensure their accounts are protected from credential stuffing. Individuals can also take such precautions by visiting sites, such as ‘ https://haveibeenpwned.com/ ’ to determine if they’ve an account that has been compromised,” he added.
“Without further verification, it rather looks like a secondary offering of breached databases on the black market. The first, thus exclusive and the most expensive sale, usually takes place in confidence and without notice to the breached party. Once multiple databases are grouped to be publicly offered, they are likely sold not for the first time.
“The biggest risk of targeted individual attacks against the victims, however, is probably already in the past: now the buyers will likely conduct large-scale phishing and malware campaigns without a high degree of sophistication. Nonetheless, the victims may still face password re-use attacks and therefore should be particularly cautious within the next few months,” said Ilia Kolochenko, CEO of High-Tech Bridge.
Back in January, security researcher Troy Hunt revealed the presence of a massive database hosted on cloud service MEGA that contained nearly 773 million unique email addresses and over 21 million unique passwords.
The Collection #1 data dump was officially the largest data dump ever, even larger than an unsecured cloud server based in the Netherlands which was unearthed by Hunt in August 2017 and contained as many as 711 million email addresses and passwords, which Hunt describes as ‘almost one address for every single man, woman, and child in all of Europe’.