The pockets of credential stuffers and spammers have been potentially fattened by another 617 million pilfered accounts, hacked out of 16 websites and now allegedly up for sale on the Dark Web.
- Dubsmash: 162 million
- MyFitnessPal: 151 million
- MyHeritage: 92 million
- ShareThis: 41 million
- HauteLook: 28 million
- Animoto: 25 million
- EyeEm: 22 million
- 8fit: 20 million
- Whitepages: 18 million
- Fotolog: 16 million
- 500px: 15 million
- Armor Games: 11 million
- BookMate: 8 million
- CoffeeMeetsBagel: 6 million
- Artsy: 1 million
- DataCamp: 700,000
The Register has contacted all of the sites, many of which are photography, game or fitness oriented. The publication has also listed summaries of what is, or was, purportedly for sale and for what asking price.
Some of the sites have previously reported breaches, while some told the Register to hold that thought – they’d need to check with their IT and legal departments about the alleged breaches.
Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total
11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed password, username, email address, language, country, plus for some, but not all the users, the first and the last name. This alleged security breach has not been previously publicly disclosed. Dubsmash is a video-messaging application popular with millennials and younger folk.
New York City-based Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner Simone McCormick told us:
Our office has been retained to assist Dubsmash in this matter. Thank you for your alert. We immediately launched an investigation. We plan to notify any and all individuals as appropriate. Again, thank you for bringing this to our attention.
The Dark Web seller is believed to be outside the US. He or she told the Register that the Dubsmash data has been purchased by at least one person.
He or she claims to be the hacker who exfiltrated the databases, each of which is being sold seperately. The hacker said that they typically extracted the credentials by exploiting security vulnerabilities within web apps to pull off remote code execution. Most of the records were stolen last year, the hacker/seller told the Register.
The records appear legitimate. At least some of the sites have confirmed the breaches. The records consist mainly of account holder names, email addresses, and hashed passwords that have to be cracked before they can be used. That’s cold comfort, however, in the case of passwords hashed using the obsolete MD5 algorithm, including some records from 500px.
Fortunately, 500px said that it’s now notifying users about the site being hacked and plans to reset all user passwords. It’s already forced password resets for passwords that were weakly hashed with MD5.
This haul represents a lot of purloined databases, and there are a commensurately large number of details available in the Register’s report. If you’re a user of any of those websites, there’s a good chance you’re already been notified, either when the site was breached last year or when it found out it was breached this week. If you haven’t already been notified, you might want to check out what’s up with your account(s) by looking them up in the Register’s article.
But wait, there’s more
The seller told the Register that s/he’s got as many as 20 databases. They said that they’re keeping some to themselves for private use, whatever that may mean. The seller/hacker also said that they’ve swiped about a billion accounts since they first began siphoning servers in 2012.
The goal: to make some money, to teach people a lesson about taking security seriously (such as by using two-factor authentication [2FA]), to make life easier for other hackers. … and to settle a score with a co-conspirator.
The crook waxed philosophical:
I don’t think I am deeply evil. I need the money. I need the leaks to be disclosed.
Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.
Just a “tool used by the system?” A-yuh.
Here’s another tool: the 2FA that the seller thinks, rightly, that people should use to fend off laissez-faire operators like him/her.
This hacker/seller is trying to make it easier for other hackers to break into our accounts. Let’s all make it harder.
Another tool that can protect us from credential-stuffing thieves: unique, difficult to guess passwords, one for each website or service we use, so these burglars can’t try to break into multiple accounts when they slurp our credentials off one source and stuff them everywhere else they can think of to see if they can get in.