Stolen account details from 16 hacked websites have gone on sale on the dark web. In all, 617 million records are available, with data including account holder names, email addresses and hashed passwords …
The Register lists the 16 websites affected.
For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:
Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).
Sample account records from the multi-gigabyte databases seen by The Register appear to be legit […] There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.
Some of the passwords are hashed using only the MD5 algorithm, which is trivial to crack.
Some of the websites concerned have already disclosed data breaches, but others – like 500px – were unaware at the time that it had happened. The company has now confirmed the claim and notified users.
500px staff are now notifying their users that the site was indeed hacked, and will reset everyone’s passwords, starting with the ones weakly hashed using MD5.
“We are able to confirm a breach occurred,” Newell told us. “Our engineers immediately launched a comprehensive review of our systems and have since taken every precaution to secure them. All areas of vulnerability have been identified and fixed during our internal investigation, and we’ve found no evidence to date of any recurrence of the issue.
“We are currently working on notifying our entire user base, however, given the amount of users affected, this task will span one day at minimum. We’ve taken every precaution to ensure our users’ data is safe. A system-wide password reset is currently underway for all users, prioritized in order of accounts with the highest potential risk, and we have already forced a reset of all MD5-encrypted passwords.”
500px wrote in a blog post that although the breach occurred around July 5 2018, it only became aware of it on Friday.
2019 hasn’t been a great year for security so far. January saw what was at the time the largest ever breach of email addresses and passwords, with some 773M records exposed. That was subsequently dwarfed by four further collections, creating a staggering total of 2.2 billion unique accounts. We also recently learned about two techniques used to access iCloud-locked iPhones.
As always, this is a good time to review your security, ensuring that you haven’t re-used any of your passwords. Stolen account details are typically used for ‘credential stuffing,’ where those buying the data automatically try the same email addresses and passwords on a wide range of popular websites and services.