Hacker Gnosticplayers Puts His Fourth Batch of 26.42 Million Passwords on the Dark Web

Gnosticplayers Releases Fourth Round of Stolen Databases

A little over a month ago, a cybercriminal used Dream Market, a dark web marketplace, to try and sell just under 620 million user records stolen from a total of 16 websites and apps. The criminal in question goes by the nickname Gnosticplayers, and when reporters got in touch with him, he promised that he would be putting many more accounts up for sale. Gnosticplayers, it seems, is a man of his word.

Mere days after the initial ad, Gnosticplayers published another one, this time offering petty crooks the chance to buy 127 million records stolen from 8 websites. The third round came on February 17, when Gnosticplayers released a further 93 million records taken from 8 websites.

In his own words, Gnosticplayers isn't just a reseller that gathers and organizes stolen databases and profits from them. He claims that he has single-handedly hacked into and stolen every single one of the databases he is offering. After the third batch, his activity on the Dream Market decreased. Until the other day, that is.

Gnosticplayers sticks a "For Sale" sign on 26 million records

At 26 million records, the fourth batch of stolen data is considerably smaller than the previous ones. Predictably, while the first set of databases costs around $20 thousand, this one can be had for "just" $5 thousand. Do the math, however, and you'll see that the price per record is considerably higher. Can this be justified?

Well, the hacked websites don't seem to be especially interesting. About half of the data comes from Bukalapak, an Indonesian online retailer. The rest of the compromised providers include game developer platform GameSalad, a Brazilian book shop called Estante Virtual, Coubic and LifeBear, a couple of scheduling applications, and YouthManual, an Indonesian career website. As always, the databases can be bought separately or in bulk.

Although we're not talking about the most popular websites in the world, some cybercriminals might be interested in Gnosticplayers's offer because if the hacker is to be believed, the data is quite fresh. ZDNet reports that apart from Bukalapak, all the other databases were stolen during the month of February which means that the usernames and passwords inside them are fairly new and will most likely work. And because people tend to reuse their passwords, the databases can act as the perfect launchpad for a large-scale credential stuffing attack.

Why does Gnosticplayers do it?

Although he is unlikely to stand in front of a TV camera for obvious reasons, it's fair to say that Gnosticplayers isn't exactly interview-shy. Over the past month or so, he has talked to reporters about what he's done and why he's done it. His replies aren't very consistent.

When he offered the first set of databases, he said that his aim was simple – sell a grand total of 1 billion records and retire. Later, he claimed that he is hoping to see the "downfall of American pigs" although he failed to mention how his business is going to help. Now, he's singing a different song.

When ZDNet asked him why he's selling the latest batch of compromised databases, he said that he's just "upset" about the way service providers store people's passwords.

Secure password storage is indeed something website operators and developers struggle with. Every single one of Gnosticplayers' databases contains passwords that are hashed with outdated algorithms like SHA1 and MD5 which means that they can be converted into plain text relatively easily. What the hacker doesn't seem to understand is that stealing people's data, sharing it with cybercriminals, and making money from it isn't going to solve the issue.

March 21, 2019

Leave a Reply