133m records for sale as fruits of data breach spree keep raining down

A data breach broker has flooded a hacker forum with a whopping total of 132,957,579 user records.

Bleeping Computer is in touch with the data breach broker: a “known and reputable” broker who’s selling databases, all of which contain different data types but all of which include usernames and hashed passwords.

The companies whose databases are allegedly being peddled include game sites, food delivery services, Soccer streaming, online fashion and loans. Out of the 14, only four are known to have been breached: Home Chef, Minted, Tokopedia and Zoosk.

Home Chef, a meal delivery service, confirmed a data breach two weeks after a hacker group named Shiny Hunters listed a database of 8 million customer records on a dark web marketplace. Shiny Hunters was the same group that claimed to be selling Zoosk’s records – along with nine other companies’ records, for a total of 73 million user records – in May.

For its part, Minted, a marketplace for independent artists, in late May confirmed that it had suffered a data breach earlier that month – confirmation that came after a hacker sold a database containing 5 million user records on a dark web marketplace. The name of the broker? Shiny Hunters.

Also in May, data breach monitoring and cybersecurity intelligence firm Under the Breach discovered that a hacker was offering the account information for 15 million users of Tokopedia – which is Indonesia’s largest online store – on a hacker forum for as little as USD $5,000. The broker? Shiny Hunters.

In sum: as Wired notes, during the first few weeks of May, the hacking group went on a data breach spree, hawking close to 200 million stolen records from over a dozen companies.

Bleeping Computer didn’t name the data breach broker it’s been in contact with, but it’s highly possible its initials turn out to be SH. The broker told the news outlet that the 14 databases they’re selling can be had for as little as $100, on up to $1,100.

The allegedly breached companies

Bleeping Computer provided this table of the companies that were allegedly breached, when, and the size of the holes allegedly bitten out of them.

Company # of records Alleged Breach Date
DarkThrone 282,825 June 2020
Efun 2.2 million 2020
Fluke 353,321 June 2020
Footters 209,783 June 2020
HomeChef 8 million 2020
JamesDelivery 1.6 million March 2020
KitchHike 115,480 June 2020
KreditPlus 896,170 June 2020
Minted 4.3 million May 2020
Playwings 4.1 million April 2020
Revelo 1.1 million June 2020
Tokopedia 91 million April 2020
Yotepresto 1.4 million June 2020
Zoosk 29.1 million January 2020

What to do?

If you have an account at any of those sites, regardless of whether they’ve confirmed a data breach or not, you’d be well advised to assume it has and to take appropriate steps to protect yourself.

True, the passwords leaked in the confirmed and unconfirmed, purported breaches were encrypted, but we’ve already seen threat actors crack some of them – specifically, in the case of Tokopedia.

After they crack your password, threat actors can use it in credential-stuffing attacks at other sites. Thus, if you’re a customer of any of those sites from the table above, please do immediately change your password. Make it a tough nut to crack, and make sure it’s unique. In other words, don’t reuse passwords: doing so could let the crooks take over your social media accounts, break into your online banking account, and far more. Whenever you reuse a password, you needlessly multiply your risk.

Don’t feel like squeezing yet one more gnarly password out of your wetware? Relax and let your synapses bathe in brain goo while you turn the chore over to a password manager. We love them: they’re the application version of nagging security wonks like us!

Password managers not only concoct high-entropy passwords; they also make sure you use unique passwords at every site. Granted, password managers aren’t perfect, but they’re close enough to be highly recommended!