[BreachExchange] 620 million records from 16 websites listed for sale on the Dark Web

Destry Winant destry at riskbasedsecurity.com
Wed Feb 13 10:08:08 EST 2019


https://nakedsecurity.sophos.com/2019/02/13/620-million-records-from-16-websites-listed-for-sale-on-the-dark-web/

The pockets of credential stuffers and spammers have been potentially
fattened by another 617 million pilfered accounts, hacked out of 16
websites and now allegedly up for sale on the Dark Web.

The Register reports that a seller on the Dream Market – a Dark Web
marketplace hidden by the encrypted layers of Tor – began offering
these stolen databases with this many accounts on Monday:

Dubsmash: 162 million
MyFitnessPal: 151 million
MyHeritage: 92 million
ShareThis: 41 million
HauteLook: 28 million
Animoto: 25 million
EyeEm: 22 million
8fit: 20 million
Whitepages: 18 million
Fotolog: 16 million
500px: 15 million
Armor Games: 11 million
BookMate: 8 million
CoffeeMeetsBagel: 6 million
Artsy: 1 million
DataCamp: 700,000

The Register has contacted all of the sites, many of which are
photography, game or fitness oriented. The publication has also listed
summaries of what is, or was, purportedly for sale and for what asking
price.

Some of the sites have previously reported breaches, while some told
the Register to hold that thought – they’d need to check with their IT
and legal departments about the alleged breaches.

One example:

Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total

11GB of data taken in December 2018. Each account record contains the
user ID, SHA256-hashed password, username, email address, language,
country, plus for some, but not all the users, the first and the last
name. This alleged security breach has not been previously publicly
disclosed. Dubsmash is a video-messaging application popular with
millennials and younger folk.

New York City-based Dubsmash has hired law firm Lewis Brisbois to
probe the online sale. Partner Simone McCormick told us:

Our office has been retained to assist Dubsmash in this matter. Thank
you for your alert. We immediately launched an investigation. We plan
to notify any and all individuals as appropriate. Again, thank you for
bringing this to our attention.

The Dark Web seller is believed to be outside the US. He or she told
the Register that the Dubsmash data has been purchased by at least one
person.

He or she claims to be the hacker who exfiltrated the databases, each
of which is being sold seperately. The hacker said that they typically
extracted the credentials by exploiting security vulnerabilities
within web apps to pull off remote code execution. Most of the records
were stolen last year, the hacker/seller told the Register.

The records appear legitimate. At least some of the sites have
confirmed the breaches. The records consist mainly of account holder
names, email addresses, and hashed passwords that have to be cracked
before they can be used. That’s cold comfort, however, in the case of
passwords hashed using the obsolete MD5 algorithm, including some
records from 500px.

Fortunately, 500px said that it’s now notifying users about the site
being hacked and plans to reset all user passwords. It’s already
forced password resets for passwords that were weakly hashed with MD5.

This haul represents a lot of purloined databases, and there are a
commensurately large number of details available in the Register’s
report. If you’re a user of any of those websites, there’s a good
chance you’re already been notified, either when the site was breached
last year or when it found out it was breached this week. If you
haven’t already been notified, you might want to check out what’s up
with your account(s) by looking them up in the Register’s article.

But wait, there’s more

The seller told the Register that s/he’s got as many as 20 databases.
They said that they’re keeping some to themselves for private use,
whatever that may mean. The seller/hacker also said that they’ve
swiped about a billion accounts since they first began siphoning
servers in 2012.

The goal: to make some money, to teach people a lesson about taking
security seriously (such as by using two-factor authentication [2FA]),
to make life easier for other hackers. … and to settle a score with a
co-conspirator.

The crook waxed philosophical:

I don’t think I am deeply evil. I need the money. I need the leaks to
be disclosed.

Security is just an illusion. I started hacking a long time ago. I’m
just a tool used by the system. We all know measures are taken to
prevent cyber attacks, but with these upcoming dumps, I’ll make
hacking easier than ever.

Just a “tool used by the system?” A-yuh.

Here’s another tool: the 2FA that the seller thinks, rightly, that
people should use to fend off laissez-faire operators like him/her.

This hacker/seller is trying to make it easier for other hackers to
break into our accounts. Let’s all make it harder.

Another tool that can protect us from credential-stuffing thieves:
unique, difficult to guess passwords, one for each website or service
we use, so these burglars can’t try to break into multiple accounts
when they slurp our credentials off one source and stuff them
everywhere else they can think of to see if they can get in.


More information about the BreachExchange mailing list