A single seller is offering approximately 620 million stolen customer details on the dark, according to The Register, which says it has been in touch with the seller and the database is genuine. The hacker claims the data was collected in 2018 through remote-code execution attacks after compromising vulnerabilities in web applications.
The account details were stolen following 16 high-profile data breaches including those of MyFitnessPal (151 million), MyHeritage (92 million), EyeEm (22 million) and 500px (15 million). All are for sale at a total price of almost $20,000 in bitcoin. The seller claims the a Dream Market customer has already bought the database.
Here”s the complete list of compromised websites:
The stolen data contains information of interest to spammers and can be used for credential stuffing. This mostly includes names, emails and passwords, occasional personal details, location and social media authentication. No bank details appear to have been compromised. The stolen passwords are hashed, so hackers need to crack them before they use them. Most exposed are people who use weak passwords that can be easily decoded, and reuse them for multiple accounts.
Some of the websites came forward as soon as they were hacked, informed their customers and reset account passwords. In an operation that allegedly goes back to 2012, the seller claims to have 20 databases, but some will not be released online and will instead be kept for private use.
“Security is just an illusion,” the hacker said to The Register. “I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyberattacks, but with these upcoming dumps, I’ll make hacking easier than ever.”