Cyber criminals have placed 617 million hacked accounts for sale on the dark web, stemming from 16 separate data breaches.
The databases are listed on the dark web marketplace Dream Market, alongside drugs, weapons and other illicit items. Hacked websites listed include MyFitnessPal, MyHeritage and Animoto – all of which were known to have been compromised. Other sites, such as the photography network 500px, had not previously reported a breach to its security.
Depending on the breach, stolen data may include:
- email addresses
- other personal details
The data troves are listed individually on the popular dark web marketplace, each sold by the same vendor. The seller, who goes by the name 'gnosticplayers', joined the Dream Market on 6 February and currently has a five star rating, though this comes from a single buyer.
Cyber security experts have warned that the scale of the breach could drive a significant change in public sentiment towards security, especially considering that many of the listings were from previously undisclosed data breaches.
Ilkka Turunen, global director at software firm Sonatype, stated “A number of the breached sites failed to disclose the attacks, indicating that they weren’t aware of the hack, or opted not to reveal it, and thus could fall foul of GDPR and be subject to serious fines."
Other security researchers said that people should beware of their accounts being compromised, even if they no longer use any of the sites or services caught up in the latest list of data breaches.
The tendency to reuse the same email addresses and passwords across multiple platforms mean hackers can use the credentials to break into other online accounts.
- The best way to avoid credential stuffing attacks is to always create unique email and password combinations for every account - Doing this manually is untenable hence good practice is to always use a password manager that can create and store complex passwords, and even alert users to compromised passwords found in data breaches
- Check whether your emails have been compromised by checking it on the Have I Been Pwned website, which collates major data breaches.