Hackers compiled data from all the breaches -MyFitnessPal, CoffeeMeetsBagel, Dubsmash, etc. — for a blowup sale on the Dark Web. Is your information compromised?
Data Breach After Data Breach
If you used services such as MyFitnessPal (151 million) and Dubsmash (162 million), you need to change your password now. Needless to say, if you use that password on more than one site, it needs to be changed on all those too. Enable two-factor authentication for an extra layer of security on your accounts.
In Forbes, Kate O’Flaherty disclosed all the details about this recent Dark Web discovery in “Hackers Have Just Put 620 Million Accounts Up For Sale On The Dark Web — Are You On The List?“:
It is only the second month of the year, but it seems 2019 is already making its mark via breaches of “collections” of customer details. Only last month, the so-called Collection #1 breach saw more than a billion unique email address and password combinations posted to a hacking forum for anyone to see.
Then emerged Collection 2-5 taking the total number of hacked user accounts published to a shocking 2.2 billion. Now, in a new revelation, 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, the seller of the data trove has told the Register.
The details are available from the Dream Market cyber-souk located in the Tor network for the price of less than $20,000 in Bitcoin, the hacker told the tech site.
How serious is it?
It seems to be legit. The Register has seen sample account records from the multi-gigabyte databases. According to the tech site, they consist mainly of account holder names, email addresses, and passwords. But one silver lining: The exposed passwords are hashed. This means they can’t be used by criminals until they are cracked.
Other information compromised includes personal and location details. However, no bank information appears to be on the list.
As with similar collections, the details are earmarked for sale to attackers who wish to perform credential stuffing attacks. If they are able to crack some of the weaker passwords, this will see them throwing compromised usernames and passwords at a number of big sites. The idea is to catch people out if they have been using the same password across a number of services.
Which sites are on the list?
The following sites, in order of volume of details compromised, are on the list. Some of these breaches were already known about, but it’s the first we’ve heard about some of the others. It’s all too common to suffer a hack – and sometimes firms are attacked without their knowledge.
Dubsmash (162 million details)
MyFitnessPal (151 million details)
MyHeritage (92 million details)
ShareThis (41 million details)
HauteLook (28 million details)
Animoto (25 million details)
EyeEm (22 million details)
8fit (20 million details)
Whitepages (18 million details)
Fotolog (16 million details)
500px (15 million details)
Armor Games (11 million details)
BookMate (8 million details)
CoffeeMeetsBagel (6 million details)
Artsy (1 million details)
DataCamp (700,000 details)
What to do now?
Unfortunately, the security of people’s data often seems to come down to the company that is handling it – and this is not always top notch. Needless to say, if you are a user of any of these services, you need to change your password now. In addition, if you use that password on more than one site, it needs to be changed on all of those too. You should also be using two-factor authentication where possible.
If the hacks of recent times are telling us anything: It’s that users need to tighten up their own password practices in order to avoid being caught out. It makes sense to use a password manager such as LastPass and Dashlane. If the latter, just make sure you secure it with an additional password, as a vulnerability was recently found.
It also makes sense to visit a site such as HaveIBeenPwned. A few users have questioned this service – but it is completely legit and run by renowned security researcher Troy Hunt. The site allows you to enter your email address and passwords to see if these have been compromised in other breaches. The idea is, if they have, you can then change them across the affected services.
And it goes without saying to be careful who you give your data to. Don’t sign up to services needlessly and be sure of who you can and can’t trust with your valuable personal information.
O’Flaherty, K. (2019). Hackers have just put 620 million accounts up for sale on teh dark web — are you on the list? Forbes.