Stolen data for the account of 16 hacked websites are sold on the dark network. A total of 617 million records are available and the data includes the names of account holders, email addresses, and hashed passwords …
The Register lists 16 affected websites.
For less than $ 20,000 in Bitcoin, it is alleged that the following underlying stolen account data can be purchased from the Dream Market Cyber-Souk on the Tor network:
DubSmash (162 million), MyFitnessPal (151 million), MyTerms (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit 18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million) and DataCamp (700,000).
Exemplary account entries from many gigabyte databases that are viewable by the registry appear to be legitimate […] There are several other bits of information, depending on the site, such as location, personal data, and social media authentication tags. There seems to be no payment or bank card details in the sales lists.
Some passwords are being hacked using only the MD5 algorithm that is trivial to crack.
Some of the affected websites have already revealed data violations, but others – like 500 pixels – have not done so. The company has already confirmed the claim.
500px employees are already informing their users that the site was really hacked, and will reset the passwords to everyone starting with those that are slightly crushed with MD5.
"We can confirm that there was a violation," said Newell. "Our engineers immediately began a thorough review of our systems and have since taken all the precautions to provide them. All areas of vulnerability have been identified and fixed during our internal investigation and we have not yet found evidence of the recurrence of the problem.
"We are currently working on the notification of our entire user base, but given the amount of users affected, this task will last for at least one day. We have taken all precautions to ensure that our users' data is safe. We are currently recovering the system-wide password for all users prioritized in the order of accounts with the highest potential risk, and we are already forced to recover all passwords encrypted in MD5. "
2019 has not been a great security year so far. January saw what was the biggest violation of email addresses and passwords at that time, some of which were revealed. Subsequently, it was reduced by four additional collections, creating a staggering total of 2.2 billion unique accounts. We also recently learned about two techniques used to access the iCloud-locked iPhone.
As always, it's a good time to review your security, making sure you do not re-use your passwords. Stolen account details are typically used to "fill in credentials," where data buyers automatically test the same email addresses and passwords across a wide range of popular websites and services.
See more 9to5Mac on YouTube for more Apple news: