Hacker that stole 620 million account credentials last year stole 127 million more

Written over 1 year ago by IanDorfman

In addition to stealing the credentials both this year and last year, the hacker has posted offers for the stolen databases with confidential account information across multiple sites on the dark web for $14,500 USD worth of Small Bitcoin iconBitcoin.

The pilfered databases and amount of accounts stolen from each come from the following sites and services, in order from most accounts to least accounts stolen:

Small Dubsmash iconDubsmash (162 million)
Small MyFitnessPal iconMyFitnessPal (151 million)
Small MyHeritage iconMyHeritage (92 million)
Small Houzz iconHouzz (57 million)
Small ShareThis iconShareThis (41 million)
Small YouNow iconYouNow had 40 million
Small HauteLook iconHauteLook (28 million)
Small Animoto iconAnimoto (25 million)
Small EyeEm iconEyeEm (22 million)
Small 8fit icon8fit (20 million)
Whitepages (provider of Small Whitepages Caller ID & Block iconWhitepages Caller ID & Block, 18 million)
Small Ixigo Cabs App iconIxigo Cabs App (18 million)
Small Fotolog iconFotolog (16 million)
Small 500px icon500px (15 million, see our coverage from last night)
Small Armor Games iconArmor Games (11 million)
Small Bookmate iconBookmate (8 million)
Small Coffee Meets Bagel iconCoffee Meets Bagel (6 million)
Small Stronghold iconStronghold Kingdoms (5 million)
Small Roll20 iconRoll20 (4 million)
Small ge.tt iconge.tt (1.8 million)
Small Artsy iconArtsy (1 million)
Petflow (1 million)
Small Datacamp iconDatacamp (700,000)
Small Coinmama iconCoinmama (450,000)

All in all, 24 websites and services had a total of nearly 747 million account credentials stolen. This is an unprecedented occurrence in terms of the sheer scale of data stolen and sold on the dark web. Despite this, the data included in these databases is relatively standard, consisting of account names, email addresses, and hashed passwords that need to be cracked before they're of any use to account hijackers. Of course, that's only for websites that elect to use encryption for their account databases. According to a report by TechCrunch, Small Ixigo Cabs App iconIxigo Cabs App and PetFlow (along with Small 500px icon500px from the prior account database theft), these passwords are only hashed using the MD5 algorithm. Even worse, Small YouNow iconYouNow does not scramble user passwords in any way.

Remember to always stay vigilant and follow some account security best practices, such as using a password manager like Small LastPass iconLastPass or Small KeePass iconKeePass and using a password and account monitoring service such as Small Have I been pwned? iconHave I been pwned? or Google's newly released Small Password Checkup iconPassword Checkup. Security is almost always worth the extra effort to implement, especially when it comes to services with vital data.

Further coverage:
The Register
TechCrunch
Engadget