Is Your Personal Data Among the 620 Million Accounts That Have Been Placed for Sale on the Dark Web?

What do you need if you want to get your hands on just over 617 million account records stolen from 16 different websites? We have a surprisingly specific answer. You need an internet connection, about $16 thousand worth of bitcoin, and just under 43GB of free storage space on your hard drive.

The data is for sale on Dream Market – a dark web marketplace that is accessible to anyone with a Tor browser. Online IT magazine The Register was the first to report on the details.

What’s on offer?

Once again, the answer is pretty specific. Here's a summary:

• 161 million records stolen from a video messaging application called Dubsmash. The records include usernames, email addresses, user IDs, the users' countries of residence, and SHA256-hashed passwords.
• Just under 15 million records stolen from 500px, an online photography community. Compromised data includes, among other things, usernames, email addresses, first and last names, dates of birth, hash salts, and passwords that have been hashed with either MD5, SHA512, or bcrypt.
• A little over 22.3 million records taken from EyeEm, another online platform for photographers. Most of the records consist of an email address and a SHA1-hashed password.
• Just under 20.2 million records extracted from 8fit, a health and fitness app. The data consists of IPs, names, email addresses, Facebook authentication tokens and information from connected Facebook accounts, the country of residence of individual users, and bcrypt-hashed passwords.
• 16 million records that belong to Fotolog, another social network for photographers. The dump contains names, security questions and answers, email addresses, SHA256-hashed passwords, and other profile information.
• More than 25 million records stolen from Animoto, a platform for creating videos. The records include first and last names, email addresses, countries of residence, dates of birth, hash salts, and SHA256-hashed passwords.
• A little over 92 million records stolen from MyHeritage, an online genealogy platform. The data includes the dates on which the compromised accounts were created, email addresses, SHA1-hashed passwords, and hash salts.
• A little over 151 million records stolen from MyFitnessPal, a fitness app owned by Under Armour. Each record consists of an IP address, a user ID, a username, an email address, a salt that's fixed for the whole table, and a SHA1-hashed password.
• 1 million records stolen from Artsy, an online hub for art collectors. The records include names, email and IP addresses, locations, and SHA512-hashed passwords with salts.
• 11 million records stolen from Armor Games, a website for browser-based games. The data consists of usernames, email addresses, dates of birth, SHA1-hashed passwords and salts, as well as other profile details.
• 8 million records taken from Bookmate, an eBook subscription service. Most of the records consist of various profile details, usernames, email addresses, and SHA512-hashed passwords with salts.
• Just under 6.2 million records from CoffeeMeetsBagel, a dating website. Most of the records contain names, email addresses, dates of registration, SHA256-hashed passwords, and other account details.
• 700 thousand records stolen from DataCamp, an online education platform for people who want to learn about data science and programming. The stolen data consists of email addresses, bcrypt-hashed passwords, and other profile details.
• 28 million records pilfered from HauteLook, an e-commerce business selling clothes and jewelry. The records contain names, email addresses, and bcrypt-hashed passwords.
• 41 million records extracted from ShareThis, a widget for browsers and blogging platforms that makes sharing content easier. The data contains names, usernames, email addresses, dates of birth and other profile information as well as DES-hashed passwords.
• Just under 18 million records stolen from Whitepages, an online telephone and address directory. The data consists of first and last names, email addresses, and passwords that have been hashed with either SHA1 or bcrypt.

Most of the databases were apparently obtained in 2018, and they can be bought individually at prices ranging from just under $50 to around $2,000. The seller said that someone has already purchased the Dubsmash data.

Nobody knew about most of the breaches

We've talked in the past about how some hacking incidents remain undiscovered for years on end, and the treasure trove of data described above proves the point rather well. Of all the vendors that were breached, only MyFitnessPal, MyHeritage, and Animoto disclosed the leaked data last year. The rest either didn't know about the incidents or were deliberately keeping them under wraps.

Now, it's all coming to light. Shortly after The Register's report went out on Monday, 500px started resetting users' passwords, and since then, EyeEm and DataCamp have also begun notifying the affected account owners. When contacted by The Register, some of the vendors said that they need more time to investigate before they can make a public announcement.

A credential stuffer’s dream

Hopefully, all affected parties will do what they need to do sooner rather than later because there's little doubt in anyone's mind that the data is valid and can be used. The usernames and passwords are perfect for credential stuffing attacks partly because there's so many of them, and partly because they're relatively new. The Leaked Collections that recently made quite a few headlines attracted a lot of attention because of the sheer volume of data that they contained. Because the usernames and passwords in those data dumps were stolen years ago, however, many of them are useless. With these more recent breaches, the chances of extracting valid credentials are much more significant.

This is in part due to the vendors' password storage habits. As you can see, none of them stored passwords in plaintext which is good. Many used weak hashing algorithms, however, which is not so good.

MD5 and SHA1 can be cracked with relative ease, and even more complex algorithms like SHA256 can prove to be vulnerable, especially if the implementation is not perfect or if the password is weak. In theory, people whose passwords were hashed with bcrypt should be safe, but even the vendors that chose the right algorithm are urging users to change their passwords.

The price of personal data sold on the dark web

Sometimes, vast quantities of personal information can be found on a public internet forum that can be reached via Google. As you can see, in other cases, the data is sold on the dark web.

It's not exactly expensive, though. Some of the records in these databases contain quite a lot of personal information, and yet, the average price of a single record is $0.00002. Think about this the next time you're signing up for a new service.