Approximately 620 million records stolen from sixteen compromised websites are up for grabs on the Dark Web. According to The Register, the list includes users of the following companies; Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, and DataCamp.
While some of the affected companies such as MyHeritage and MyFitnessPal have already announced that they were hacked last year, the list consists predominantly of newcomers who have just begun notifying their users about the breach. Some of the newcomers include 500px, DataCamp, EyeEm, and 8fit.
The massive database of stolen information is being offered on the Dream Market cyber-souk located in the Tor network for roughly $20,000 in Bitcoin, and according to The Register’s source, the database has been purchased at least once already. However, it is currently unknown how many cybercriminals have bought the list so far.
The database contains personal information such as full names, email addresses, passwords, and other data such as location, and social media authentication tokens. It is currently unknown if the list contains sensitive information such as SSN, DOB, and credit card details. It is assumed that most of the leaks included in the database come from data breaches that have happened over the last two years.
A MyHeritage spokesperson provided with the sample of the list confirmed that the information included in the list is legitimate and contains information illegally obtained from the organization a couple of years ago. EyeEm and 500px have already begun notifying the affected customers forcing them to change their passwords. The majority of the affected companies are still not actively working on forcing password change to the affected users.
This major collection of multiple data breaches is not to be mistaken with the 2.2 billion monster data collection that started circulating the Dark Web and various torrent websites a couple of weeks ago. It is currently unknown if the stolen data is part of the 2.2 billion monster data collection. It is also unknown if the details from the stolen data have been uploaded to Have I Been Pwned.
What should you do?
Hackers will most likely start using the stolen data to get access to other websites where the same login details have been reused. Such leaks make the life of hackers much more comfortable as they can use simple hacking techniques to get access to even more sensitive information for their targets.
The very first thing that you will have to do is to start practicing good password hygiene by changing your passwords regularity – often it takes years for a company to disclose that it has been breached. Changing your password at least once every three months is indeed a good practice.
Don’t be tempted to reuse passwords on different websites. If you are too confused to remember all passwords, it is worth using antivirus software – the best antivirus software solutions not only protect you from hackers but also come with useful features such as password managers.