Over 617 million hacked accounts have been put up on sale on the dark web. The data reportedly stems from 16 separate data breaches and is hosted on Dream Market, an illegal marketplace on the dark web. The user data apparently comes from hacked websites that include MyHeritage, Dubsmash, Animoto, MyFitnessPal and more.
While most of the websites named by the seller have reported data breaches in the past, websites like 500px, a photography network had not reported any security breach previously. While it depends from one breach to another, stolen data usually comprises of email, passwords, location and other personal details.
The listing of the data was first discovered by Register. According to the report, the data breaches are listed individually in the marketplace, all by the same vendor. The seller joined Dream Market on February 6 and goes by the alias “gnosticplayers”. He even has a five star rating, although that comes from a single buyer.
The profile of the seller states, “Feel free to message me here on Dream Market to tell me what kind of data you’re searching (crypto, gaming, or huge data sets) and I will list it here for sale right after.”
Furthermore the seller writes, “Since I have a huge reserve of fresh data, I probably have what you need. If the data does not correspond to what the breach information specifies, do an escrow dispute. However, carefully read the listing of what you’ll receive because if you purchase it you agree to receive the specified data.”
This is not the first time breached data has found itself on the dark web marketplaces, available for sale. However, the scale of such a breach might result in a big change in public sentiment towards internet security. Many of the breached data are from websites that never disclosed getting hacked. This could be a violation of GDPR rules in the EU and the companies may be subject to heavy fines.
The breach also seems preventable. The hacker stated they simply exploited existing vulnerabilities in web apps and websites, which are easy to fix. Despite that, the brunt of the breach will be borne by the people whose data has been compromised.
You can check whether your email address have been compromised by heading over to Have I Been Pwned website which collates major data breaches.