A hacker using the identity ‘Gnosticplayers’ has topped up one of the largest data breaches ever publicised by offering for sale 26 million records stolen from another six online companies.
The first of four data caches came to light in early February when The Register got wind that a database of 617 million records pilfered from 16 companies had been put up for sale on the Dark Web for $20,000.
Days later, Gnosticplayers added another 127 million records from a further eight websites, before adding a third round on 17 February comprising another 93 million from a further eight sites.
The fourth round, posted to Dark Web market Dream Marketplace last weekend brings the total number of hacked records to 863 million from 38 sites.
The data at risk varies by site but reportedly includes email address, usernames, IP addresses, and in some cases, personal details, settings and in one case, phone numbers.
Passwords are also at risk with a variety of hashing algorithms used to secure them, including SHA1 (with and without salting), SHA256, SHA512 (with salting), and in the case of LifeBear, MD5.
Naked Security was unable to independently confirm the victims, but ZDNet has named the sites in the latest round as Bukalapak (13 million records) GameSalad (1.5 million), Estante Virtual (5.4 million), Coubic (1.5 million), LifeBear (3.8 million), Youthmanual.com (1.1 million).
Japanese site LifeBear was contacted by another news site which received the following statement:
We currently have been investigating the situation. We apologize for the inconvenience this may cause. We already have made contact with police department in Japan and a lawyer to consult this situation.
Two things stand out about these breaches, the first being that few of the companies seemed to be aware they’d been breached until contacted for confirmation by journalists.
A second is the sheer number of breached companies the hackers were able to break into over a period of months.
The first round of breached data included photography site 500px, which later said the data had been taken from its servers around 5 July 2018. According to ZDNet, five of the six companies in the latest cache data appear to have been breached as recently as last month.
According to the same report, allegedly, other victims were saved from being named because they agreed to pay an extortion ransom to keep it private.
What to do
Here’s the list of sites previously known to have been breached as part of the Gnosticplayers leak (in addition to those from the latest cache mentioned above):
500px, Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, DataCamp, Xigo, YouNow, Houzz, Ge.tt, Coinmama, Roll20, Stronghold Kingdoms, PetFlow, Legendas.tv, Jobandtalent, Onebip, StoryBird, StreetEasy, GfyCat, ClassPass, Pizap.
Anyone who has an account with any of these sites should change their password as soon as possible, regardless of whether they’ve been asked to do so. If two-factor authentication (2FA) is offered, turn it on.