There has been a new case involving the sale of stolen private data on the dark web.
Recent reports reveal that a vendor has put up the details of more than 600 million accounts on one of the top marketplaces on the dark web.
The stolen data belongs to 617 million hacked accounts on 16 websites.
Buyers can currently obtain these details on Dream Market, a popular darknet market which has existed since 2013.
The supplier of the stolen data is selling the trove at $20,000 in Bitcoin. Most of the information belongs to accounts on MyFitnessPal and Dubsmash, which are 152 million and 161 million respectively.
The other websites that this sale has affected include DataCamp, MyHeritage, Armor Games, ShareThis, 500px, CoffeeMeetsBagel, EyeEm, HauteLook, Artsy, Animoto, BookMate, 8fit, Fotolog and Whitepages.
The seller of the data announced on their profile that they had a lot of fresh data, promising potential buyers that they were likely to find what they needed.
Data Breaches Reported
In 2018, one of the victimized websites, MyFitnessPal, reported a data breach.
The report stated that an authorized third party had breached more than 150 million accounts on the fitness and diet management platform.
The hackers stole the email addresses, passwords and usernames linked to the accounts.
MyFitnessPal warned customers as soon as they found out about the hack. The company advised the users to change their passwords and remain vigilant to avoid giving up their information to unauthorized parties.
Now, a year after the hack, the details to these accounts have appeared on the dark web.
Animoto and MyHeritage also issued warnings to their customers after discovering that they were under attack as well.
Databases for Sale on Dream Market
Reportedly, the buyers of the stolen data include credential suffers and spammers.
These buyers mostly use the data to try accessing other accounts using the same information.
Thus, individuals using the same data to log into different websites are the most likely to fall victim to these hackers.
The seller took advantage of the weaknesses of their victims' web apps. The hacker used these vulnerabilities to obtain remote code execution, after which they would access the user account information.
Most of the accounts had encrypted passwords, which the buyers would have to decode.
A MyHeritage spokesperson assessed the legitimacy of the sample accounts on the dark web and confirmed that they were genuine.
The hacker reportedly obtained the website's data in October 2017, although MyHeritage revealed the hack in 2018.
Stolen Data Includes Passwords, Email Addresses & More
The Dream Market seller gave information on the account data that they availed. For MyHeritage, the seller revealed over 92 million accounts which they sold at $1,976 worth of Bitcoin.
The supplier also indicated that the details for this site included passwords encrypted using SHA1, the date users opened their account, as well as email addresses.
More than 161 million of the stolen accounts belong to Dubsmash. These details are worth the same amount as those of MyHeritage.
The hacker managed to access more information from these accounts including their user ID, email address, username, SHA256-encrypted passwords and country of origin.
Furthermore, the attacker obtained the first and last names of some of the users' accounts.
Another website with a large number of victimized accounts is MyFitnessPal. The details for this website are worth $1,040.
The seller is providing the accounts' usernames and IDs, email addresses, IP addresses along with SHA1-encrypted passwords.
ShareThis had more than 41 million hacked accounts. Buyers can get the data at $780.
The available account records for this website include DES-hashed passwords, usernames, names, dates of birth as well as gender.
Further, the supplier is selling HauteLook account details at the same price as those of ShareThis.
The hacker has data of more than 28 million of this site's accounts. These details include the users' names, email addresses and bcrypt-hashed passwords.
DataCamp was the site with least hacked accounts. It is a tutorial platform for programming and data science.
The hacker is only selling the details of 700,000 accounts and has set their price at around $50.
The information available includes the location, bcrypt-hashed passwords along with email addresses.
Security Measures
The sale of the websites' details has brought to light the severity of cybercrime.
The operators of these websites and cybersecurity experts are now encouraging users to ensure that their accounts remain secure by regularly changing their passwords.
The experts also suggested that people should have a different password for each of their accounts.
Besides, people with online accounts can now confirm the security of their details at HaveIBeenSpwned.com.
This website reveals the number of data dumps that have a user's email address or password.
