Reports: 800 Million Stolen Records Selling on Dark Web, Credential Stuffing Could Be Big Prize
Last week, hackers began selling more than 600 million stolen accounts from 16 hacked websites on a dark web marketplace known as Dream Market. The asking price is $20,000 in Bitcoin.
But that’s turned out to be just the first of three data dumps so far. A second round followed of eight databases containing 127 million stolen records. And, now the hackers have published a third batch with eight more databases containing data belonging to 93 million users, a ZDNet report said. In the most recent group is GfyCat, a GIF hosting and sharing platform. The hackers want 2.62 bitcoin or about $9,400 for the last two rounds, the report said. To date, roughly 820 million heisted records are up for sale. The hackers have vowed that figure will climb to more than one billion, ZDNet said.
That matches what the sellers reportedly told the Register, which first reported the 600 million accounts sale, when the hackers claimed that some 20 databases containing millions more records were ready to be dumped on the open market. In the Register‘s report, the seller also claimed to have swiped one billion accounts from servers in the past six years.
“Security is just an illusion,” the seller reportedly told the Register. “I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”
While the numbers are staggering, it may be more than a prodigious dark web sale that’s going on here: Credential stuffing, a cyber attack in which leaked usernames and passwords from hacked sites are used to gain access to accounts at other sites, may be the real prize for buyers. According to a separate ZDNet report, hacker groups are renting IoT botnets and running scripts to carry out credential stuffing attacks against online services. In the most recent example, the popular Dunkin’ Donuts chain announced last week that for the second time in three months it had been victimized by a credential stuffing attack during which hackers gained access to customer accounts.
Confidential information in the databases appears to contain the names of account holders, email addresses, hashed or encrypted passwords and in some cases IP addresses, location and personal details. There’s plenty of information there for hackers to extend their potential haul in credential stuffing attacks. Thus far, no bank card information has surfaced in the sales listings, the Register said. Most of the credentials came from data breaches accomplished in 2018, the report said.
There are reportedly some notables among the records for sale, including: Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million) and DataCamp (700,000).
This leakage comes a month after word that more than 770 million unique email addresses and 22 million unique passwords from some 2,000 databases were exposed during the Collection #1 incidents in January. In this latest incident, companies hit by the hack may face fines up to four percent of annual worldwide sales under the General Data Protection Regulation (GDPR), which went into effect last May. Apparently a number of the hacked organizations either failed to report the break-ins or were late in doing so. In the last few days, new confirmations of cyber robberies have surfaced from EyeEm, DataCamp and CoffeeMeetsBagel. FitnessPal, 8fit and Artsy also admitted they’d been hacked, according to the Register. Other sites are expected to confirm cyber burglaries as well.
The seller is believed to be located outside the U.S., reports said.