A dark web marketplace this week reportedly began selling stolen data linked to roughly 617 million user accounts from 16 different websites.
The Register was first to report the incident, citing details provided by the seller,
who has set up show on the Tor network-based site Dream Market cyber-souk.
The affected online services consist of video messaging application Dubsmash (162 million accounts affected); health apps MyFitnessPal (151 million) and 8fit (20 million); genealogy platform MyHeritage (92 million); content sharing service ShareThis (41 million); Nordstrom's member-only shopping website HauteLook (28 million); cloud-based video creation service Animoto (25 million); photography sites EyeEm (22 million), Fotolog (16 million) and 500px (15 million); online directory Whitepages (18 million); game portal website Armor Games (11 million); e-book subscription service BookMate (8 million); dating site CoffeeMeetsBagel (6 million), art appreciation website Artsy (1 million); and online learning platform DataCamp (700,000).
According to The Register, MyFitnessPal, Animoto and MyHeritage each disclosed a data breach last year that corresponds to this latest incident, while the remaining websites have not (possibly because they were unaware they were victimized).
Compromised data primarily consists of individuals' names, email addresses and hashed or encrypted passwords. But depending on the website, other lifted information includes usernames, IP addresses, birthdays, locations, countries, language, interests, account creation dates and security questions and answers. Presumably, cybercriminals who engage in spamming and credential stuffing campaigns would be able to make use of this information.
"Leaked credentials leave people vulnerable to account hijacking across all services where they recycle their usernames and passwords," said Anurag Kahol, CTO and founder of Bitglass. Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless password habits."
Stephan Chenette, CTO and co-founder of AttackIQ, agreed, noting, "It is quite common for people to reuse the same login credentials for accounts across a wide range of services in different industries including the financial, healthcare, retail and education verticals. If a malicious actor was able to obtain the email address and crack a hashed password for just one of these accounts, they could potentially gain access to multiple accounts with sensitive information."
Reportedly, the seller has set the value of the entire data set at approximately $20,000, but is offering each website's data individually. At least one buyer purchased the Dubsmash data set, according to the seller, who says he (or she) stole the data by exploiting web app vulnerabilitie
"The bulk of these credentials were acquired from data breaches that occurred during 2018, meaning that the companies affected, such as Dubsmash, may face fines up to four percent of annual global turnover or €20 million under GDPR for compromising the information of EU citizens," said Jonathan Bensen, interim CISO at Balbix. "What is concerning is that several breached sites failed to disclose these attacks, demonstrating that the companies either were unaware or decided to not reveal the incidents."
This latest data breach headache follows news of a series of major data dumps known as Collection #1 and Collection #2-5, which left billions of email addresses and associated passwords exposed on the web.