back to article 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller. For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network: Dubsmash …

  1. Anonymous Coward
    Anonymous Coward

    "CoffeeMeetsBagel is a dating website."

    Really? So how does that work?

    "Wanted: steamy, black and sweet to give this toasted lemon poppy seed a schmear"

    Nope, don't even want to see that data!

  2. iLurker

    Seems like the miscreants just got some free advertising, courtesy of the Reg.

    1. bombastic bob Silver badge
      Alert

      well, if the "one customer" who downloaded the database happens to be LAW ENFORCEMENT...

    2. Khaptain Silver badge

      "Seems like the miscreants just got some free advertising, courtesy of the Reg."

      I'd rather know about the hack that not know, even if it means free publicity.

      I would also presume that potential hackers don't use El Reg as their source of latest hacks...

      1. phuzz Silver badge
        Pirate

        It's good to know about the hack, but it does add some value to the hacker to have a reputable news outlet do the hard work of contacting firms and getting them to confirm that, yes indeed, that is their data.

        Before, it was just a large, but untested dump, which may or may not have contained useful (to ner do wells) information. Now it's conformed, by at least some of the firms impacted, that the data and hashed passwords are legit.

        1. Anonymous Coward
          Anonymous Coward

          Previously it was known that it was legitimate by the hacker who stole it and every person he passed it to and anyone who bought it.

          At least now the people actually affected can know about it and know that it is legitimate.

    3. Anonymous Coward
      Anonymous Coward

      I would expect that if you work in that market then you already know about this offer and are thinking about checking it for duplicates with your own lists. AT least El Reg is making sure everyone, even the lusers know about it.

    4. sum_of_squares

      IIRC this is called "full disclosure"..

  3. Anonymous Coward
    Anonymous Coward

    Undisclosed incidents

    Be very interesting to see if all the dumps are legit - especially for those companies that either chose not to disclose, or were so clueless they didn't even know they had been hacked. Not sure which is worse.

    1. a_yank_lurker

      Re: Undisclosed incidents

      Clueless is bad enough but that can be fixed. Refusing to disclose is much worse as that is willful decision by management not to talk. However the reason why a site is clueless could be very problematic as it points to mismanagement or willful ignorance of best practices. But it someone gets the religion the clueless can straighten up surprisingly fast. A decision not to disclose indicates a company that refuses to take responsibility for customer data; something the GPDR is aimed squarely at. Any rate it could be interesting for a some of them.

  4. Anonymous Coward
    Anonymous Coward

    Non-disclosure

    Those sites who knew about their databases being breached but did not inform the end user should, first, be closed down and, second, have the bosses spending time in the chokey, because their failure to disclose, purely to protect their own reputation and income, not only puts *ahem* at risk but also encourages the miscreants to dig deeper into other sites. Be open about such things, or begone.

  5. pcolamar

    Does this imply that 16 new opened CISO positions have been made available ? :-)

    - No further comment - :-)

  6. Pascal Monett Silver badge
    Mushroom

    "I'm just a tool used by the system."

    No you are not. You made the choice to become a person inflicting misery on others, you could have very well chosen to do otherwise. You are, however, the perfect target for a number of tools, such as a golf club, a tire iron, maybe even a sledgehammer.

    1. bombastic bob Silver badge
      Trollface

      Re: "I'm just a tool used by the system."

      intarweb miscreants... the cops won't believe they're guilty of anything unless they LOOK like criminals.

      You know, how criminals have broken bones, missing teeth, large bruises, scrapes all over them as if they'd been thrown down a couple o' flights of stairs, or got dragged at 30+MPH over a gravel road...

      "Yep, THAT GUY looks like a criminal!"

      also reminds me of the way a thief on a ship might get treated, accidentally falls overboard and the guy wut dun it quietly whispers "man overboard..." then about 30 minutes later, "MAN OVERBOARD!"

      Or another Navy guy I knew, back in the day, who liked to sing a parody of a 60's song, with words like this: "If I had a hammer, I'd smash your @#$%^'ing head in!"

    2. paulll

      Re: "I'm just a tool used by the system."

      "You are, however, the perfect target for a number of tools, such as a golf club, a tire iron, maybe even a sledgehammer."

      That was my instinct-absolutely not, of course, out of any sense of malice or drive to do violence; I simply think he needs his awareness raised as to the nature of golf club injuries. It would be an act of benevolence toward him, really.

  7. MJB7
    Boffin

    Password hashing

    I can't see *any* mention of PBKDF2 in the password hashing. Is that because nobody used it, or because the journalist didn't realize the importance?

    (For those that don't know, PBKDF2 is an algorithm to iterate a hash function many times. A database where the password has been hashed with MD5 100,000 times is at least 10,000 times better protected than a database where the password has been hashed with SHA512 once.)

    1. phuzz Silver badge

      Re: Password hashing

      PBKDF2 was only recommended in 2017, which was when the first of the dumps came from, so I'd be surprised if any of them are using it. I'd expect it to start showing up in dumps in a couple of years, if not longer. Companies rarely move fast (and nobody is going to force all their existing customers to change their passwords, especially if it means admitting that the old ones might not have been secure).

      Also, the sort of company that would use a bleeding edge crypto method, like PBKDF2, might be paying a bit more attention to their basic security, and would be less likely to end up in a dump like this.

  8. JimmyPage Silver badge
    Unhappy

    God, there are some really shit websites out there ...

    Not sure which is more depressing ... the list of websites pwned, or the numbers of morons that sign up to them ? I bet the strike rate for reused credentials is sky-high in that pile.

    That said, while I struggle to believe that the six million accounts supposedly contained in the "CoffeeMeetsBagel" dataset relates to six million people, I could easily believe the owners of said website stuffed their user table with six million records in the hope of finding someone to buy them up; which seems to be SOP for some sites ....

  9. adnim

    hacked account indicator

    Normally, although not always, if ones email address becomes publicly available it will be spammed.

    Now if one uses a different email address for any accounts one wishes to remain secure for example mypaypal@xxxx.xxx for paypal or myamazon@xxxx.xxx for amazon etc. if any spam hits those email addresses, it is a good indicator of that email address being in the public domain.

    1. Anonymous Coward
      Anonymous Coward

      Re: hacked account indicator

      or just sign up to https://haveibeenpwned.com/ ?

      1. Anonymous Coward
        Anonymous Coward

        Re: hacked account indicator

        "or just sign up to https://haveibeenpwned.com/ ?"

        Only two of my many variant email addresses are in that collection.

        It doesn't contain my Paypal email address - which does get spammed as anyone I buy something from might have let it leak.

      2. IceC0ld

        Re: hacked account indicator

        or just sign up to https://haveibeenpwned.com/ ?

        ===

        now, it MAY just be me ........................ but I always suspected that should I ever have to use said site, that the response would always be ...........

        you have NOW :oP

    2. N2

      Re: hacked account indicator

      Yes thats a good policy, I do likewise.

  10. Version 1.0 Silver badge
    Meh

    617M real account details?

    Watching the spam emails at the mail server I find that less that 1% of the incoming spam is using valid addresses - the vast majority of incoming mail has completely fake addresses - email addresses that have never existed. I suspect that's going to be the case here too, the vast majority of these "account details" are probably fakes generated, and inserted into the database, to make it look big and saleable.

    1. Lee D Silver badge

      Re: 617M real account details?

      Same.

      When I do haveIbeenpwnd on my work domains and personal domains, they are the same situation.

      Either nonsense, made-up-hex-looking usernames, or off-by-ones in the database (e.g. sername@domain.com, jsmithj@domain.com) etc. where someone can't write a spam database program properly and it jumbles up things. I also get valid-looking but never-been-present usernames on my domain (e.g. genuinelookingname@mydomain.com where genuinelookingname was probably associated with domains *similar* to mine, but not actually mine), etc.

      There's a lot of junk. A lot of those accounts may have been valid at some point but not any longer. Most people barely keep an email account more than a handful of years, in my experience. Mine is over 22 years old, though, and still going - because I bought the domains and just forward to Hotmail/Gmail/SquirrelMail/my own server/whatever was trendy at the time to actually *read* the email.

      In that time, you'd expect my domain to be spammed to oblivion with all those old accounts. A couple of companies have been compromised in the past, so those email address crop up quite a lot (because spammers just copy other spammer's old databases). Things like addresses I used on Usenet and mailing lists are spammed all the time. Anything used in plain-text on a website (e.g. contact addresses, etc.). But most of the spam is literal made-up or false junk @mydomain.

      I'd estimate there are 100 addresses on my domain that are actually valid. Of those about 3-4 are compromised or spammed. About 10 or so I've blackholed for either being spammed or other reasons. But my server sees attempts to deliver to several thousand emails every day that have never actually existed at my domain.

      The best bit of such a system - compromise the database, grab the email and password from some ancient account from a defunct company... now try to apply that anywhere else on the net apart from that company's services. Even if I've re-used that password elsewhere (e.g. forum accounts that I just don't care about and hold no information on me), you can't even start to guess the email I actually used to sign up with for, say, Paypal or Amazon or whatever so you couldn't re-use that password anyway.

      617m account details would, if I applied statistics, probably relate to less than a million real accounts that are active. Some of those would probably be shared. Most of them would be bog-useless to do anything other than send a spam email (e.g. if you got into my Reg account... what exactly could you do with it? Post a dodgy comment?).

      1. Doctor Syntax Silver badge

        Re: 617M real account details?

        "you can't even start to guess the email I actually used to sign up with for, say, Paypal"

        Not the best example. PayPal actually give this address out to "merchants" when you make a payment. I put merchants in quotes because I got spammed on my PayPal address by archive.org* orecently because I'd responded to their previous donation appeal. It cost them a donation this appeal of course....

        * who aren't even a merchant and would have no reason to need an email address under any of PayPal's feeble excuses.

    2. Anonymous Coward
      Anonymous Coward

      Re: 617M real account details?

      So many accounts, supposedly, and yet I have never actually heard of any of those websites...?!

      1. IceC0ld

        Re: 617M real account details?

        not just your good self, I have been a peruser of said interwebs for more years than you can shake an abacas at, and I have not heard of a single one of them either ......................

  11. Lee D Silver badge

    Hash

    Surprised quite how many of them are using salted hashes (even if some of them are out of date).

    I was honestly expecting a lot worse.

    This is why you use a unique username/email and password for each site, and why you DON'T plug them into a password manager.

    Buy yourself a domain. Use the "catch-all" functionality to make up any email address you like for each company, and either generate random passwords or only re-use passwords with same-level-of-access sites (e.g. if one dating sites has all your stuff, then another dating site sharing the same password gets them no more information than they've already got, but saves you having to remember/write down a million different passwords. Use a password for banking, one for accounts with credit cards, one with personal information, one for forum accounts, etc. and you only need a handful of passwords. Plus, if you use unique username/email combos then it doesn't really matter if your password gets stolen from one site - the same credential won't work on another because the username will be all wrong anyway).

    1. Doctor Syntax Silver badge

      Re: Hash

      "why you DON'T plug them into a password manager."

      Why? Maybe you don't plug them into and online password manager but I rather think my encrypted KeyPass manager on my laptop is a bit more secure than a text file or the browser's password caching on the same. Apart from anything else its random passwords look a lot more like line noise than any erqogdp]oe0 keyboard mashing will generate.

      1. Lee D Silver badge

        Re: Hash

        One single access to your laptop at the level of your user (i.e. a single browser compromise) and your entire database of unique passwords is available to someone for offline hash-cracking with JohnTheRipper. No different to the browser "saved password" functionality itself. that is encrypted in a similar way.

        It would take you longer to change all those passwords (because they are now all compromised) than it would do for someone to find the weak ones.

        Not only that, by just having such a tool installed, you're basically flashing your iPhone around in the middle of The Bronx which has only one inevitable conclusion:

        https://www.tomsguide.com/us/hacker-tool-keepass,news-21782.html

        Tell me - do you do your browsing as a user with access to KeePass?

        Much safer to memorise half a dozen decent passwords and then you can literally write "HSBC - level 1 password", "The Register forum - level 5 password" in a document somewhere, or even advertise it to the world.

        KeePass is just writing your passwords down and then putting big arrows pointing the way to your password all over your computer. It's no more secure than a notepad file. Plus, you better hope that KeePass never, say, gets a rogue git commit added that compromises it - as has happened to everything from the Linux kernel to Firefox to OpenSSL to entire code repos, etc. in the past. I know which project I'd be trying to infiltrate if I wanted to spend years to get a single code drop inside it, with an accidental "off by one" that gives the person who crafted that complete access to all wallets.

        At best, something like KeePass is snake-oil. At worst, it's a tin-foil hat / emperor's new clothes.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hash

          You say Firefox has in the past been compromised by a rogue commit... can you point to a source for that claim (as I don't recall hearing about it)?

        2. Anonymous Coward
          Anonymous Coward

          Re: Hacker Tool Steals All Your Passwords from KeePass

          @Lee D: The article that you link to about KeePass (and the KeeFarce exfiltration tool) dates from 2015. Although an interesting potential concern, is it still relevant (has KeePass been updated to protect against this), and, also, are KeePassXC (or KeePassX) vulnerable to this weakness?

        3. Anonymous Coward
          Anonymous Coward

          Re: Hash

          From the link you shared "if a bad guy can get his software on your computer, it's not your computer anymore."

  12. Anonymous Coward
    Anonymous Coward

    Once again, why is there no W3C/ISO/IEEE/RFC standard

    for storing and handling person user credentials for a public website ?

  13. Anonymous Coward
    Anonymous Coward

    Hacked my account?

    That’s a relief!

    Now someone else can post my sarcastic comments... I was afraid I was getting behind.

    1. Flakk
      Joke

      Re: Hacked my account?

      Now you see, this is a perfect illustration of what is so wrong with society today. So few people seem to take pride in their work anymore.

    2. Steve K

      Re: Hacked my account?

      I think you'll find that is my job.....

  14. SonOfDilbert
    FAIL

    Wall of shame

    "Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000)."

    This is like a 21st century wall of shame. I _know_ that cyber security is tough, but come on. I would guess that most of these breaches used known exploits against servers that were either not up-to-date or lacked some basic hardening. These breaches are incredibly disrespectful to clients.

    1. Peter X

      Re: Wall of shame

      My guess is an issue with photo uploading? Most of the sites seem like places that would facilitate that. It's annoying there's no mention of the underlying issue... although I guess the hackers are not inclined to make that information available.

  15. Anonymous Coward
    Anonymous Coward

    Outrage about this 620 million details dumped online.......

    ....is reasonable and understandable.

    But there are similar efforts going on in Cheltenham (and elsewhere):

    - in secrecy

    - paid for by the taxpayer

    ......and absolutely no outrage about the secrecy and the complete lack of transparency.

    This article is about "bad guys".......but there ARE NO GOOD GUYS!

  16. Anonymous Coward
    Anonymous Coward

    "I don't think I am deeply evil," the miscreant told us.

    Just a little evil. Not sharks with frikken laser beams on their heads evil. Ill-tempered sea bass evil. Got it.

    "I need the money."

    Then clean yourself up and get a job in the industry. If you're even halfway decent it'll pay way more than this penny ante nonsense. Plus you'll get to avoid that whole messy risk-of-incarceration issue.

    1. Rameses Niblick the Third Kerplunk Kerplunk Whoops Where's My Thribble?

      Re: "I don't think I am deeply evil," the miscreant told us.

      "Then clean yourself up and get a job in the industry. If you're even halfway decent it'll pay way more than this penny ante nonsense."

      Sadly difficult to achieve when you refuse to leave your parents basement. Otherwise, I have to agree with you.

  17. Anonymous Coward
    Anonymous Coward

    Hacked you say?

    Narelle, inform HR ask them to start up the whale song audio in the break out rooms.

    Bob, you go and find the tech people where ever they reside and ask them when the interweb thingies will be clean again.

    Charles, put out a staff notice on breathing tecniques.

    Ommmm

    Ommmm

  18. Herby

    I now suspect...

    That a bunch of email addresses will get extortion letters that say we have your web cam feed, and we know what you were doing while watching a video. It seems that this is a much more lucrative than trying to get bank credentials or the like. While you send out email to 1000's of addresses, and get a couple to bite and send you back $$$ (in bitcoin form), there seem to be suckers born every minute.

    Of course, maybe this seller bought said records and did his thing, and sold off the used addresses after he found it might be too much work to make money from them. Oh, well.

  19. shawnfromnh

    One person said we've taken all measures necessary. Does that mean all measures to comply with minimum by law security. I wonder how many of these site do regular pen testing or even done one test.

  20. AGASA

    Facebook token (and other social media)

    Hello,

    I'm wondering what can one do with the Facebook token potentially?

    AGASA

  21. air.bender

    That's why you should have really strong passwords, don't push on random links, and have a VPN. I think one of my worst nightmares is this happening to me. I only used private browsers before with an antivirus (Tor & Norton), but then my friend told me about a VPN, so I got Surfshark.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon