View All R&D Articles

617 Million Accounts Compromised And Sold On Dark Web In Massive Data Breach

March 12, 2019

The Register is reporting a serious data breach affecting 16 websites and 617 million user accounts. Stolen information is available on the dark web, and the affected websites have warned their users to take action to counteract the breach.

The compromised information is available for a combined $20,000 in Bitcoin on the Dream Market cyber-souk, located on Tor, a network that isn’t accessible with conventional web browsers (the so-called “dark web”).

Affected websites include:

  • Dubsmash (162 million accounts accounts)
  • MyFitnessPal (151 million accounts)
  • MyHeritage (92 million accounts)
    ShareThis (41 million accounts)
  • HauteLook (28 million accounts)
  • Animoto (25 million accounts)
  • EyeEm (22 million accounts)
  • 8fit (20 million accounts)
  • Whitepages (18 million accounts)
  • Fotolog (16 million accounts)
  • 500px (15 million accounts)
  • Armor Games (11 million accounts)
  • BookMate (8 million accounts)
  • CoffeeMeetsBagel (6 million accounts)
  • Artsy (1 million accounts)
  • DataCamp (700,000 accounts)

How Websites Are Responding to the Breach

Most of the affected websites acted swiftly, warning affected users and implementing security fixes to prevent additional breaches. Some waited for several weeks to admit to the breach. Armor Games, an online service offering free Flash games, didn’t email users until March 1; the breach was first reported on Feb. 11.

“We are making changes on our side to harden our security and fixing any weaknesses found by our audit, including updating our password protection methods,” Armor Games wrote in an email sent to users.

“We are also adding measures to protect our users from misuse of this information on our own site. We have begun notifying authorities and will cooperate with law enforcement if requested and we may work with the other companies affected. We already have a policy of keeping as little data as possible and we will continue to look for new ways to minimize our data collection.”

What Type of Data Was Stolen?

Hackers stole user credentials for the websites; some of the breached databases included location details, social media authentication tokens (used for sites that offer, for example, a “Login with Facebook” feature), and some personal details. The stolen data does not appear to include credit card information.

However, hackers who access the data will likely use it for “credential stuffing,” a methodology that involves comparing user credentials with known entries in other databases. Essentially, the hackers will try to gain access to the victims’ other online accounts, which might hold more useful data.

This type of attack highlights the importance of using separate passwords for every website (we’ve got a guide for picking secure, unique passwords here, and services like LastPass offer an alternative for users who don’t want to keep track of dozens of different passwords).