It’s been a rough start for cybersecurity in 2019 as hackers have been busy peddling their wares to usher in the new year. In January, we reported about Collection #1, a cache of data that affects nearly three-quarters of a billion email accounts and more than 20 million passwords from around 2,000 leaked databases.
Two weeks later, the existence of four other caches of data, named Collections #2 to #5, was revealed, exposing another 2.2 billion unique usernames and passwords.
And it looks like the hits will just keep on coming. It appears that another massive treasure trove of account details is up for grabs in the dark web. Is your data at risk?
Another set of stolen user credentials is up for grabs
This week, around 617 million account details stolen from 16 compromised websites are now on sale on the dark web. The seller’s asking price for the stolen data? Less than $20,000 in Bitcoin.
The Register revealed that the databases were spotted on an underground trading site called The Dream Market, and samples tested from the collection appear to be legitimate. The cache of data includes account holder names, email addresses and passwords. The passwords, however, are either hashed or one-way encrypted so they have to be cracked before they can be used.
Other forms of information were also exposed, depending on the site and service, including location, personal details and social media authentication tokens. Thankfully, it looks like there are no payment and banking details in the sales listings.
But what is the dark web exactly? Click below and listen as Kim Komando breaks it down for you in this two-part podcast episode:
Why is this data so valuable?
These big databases of stolen details are valuable for a reason. The information can be used by hackers for a technique called “credential stuffing.” This is when someone feeds the credentials to an automated program that tries them all out on various websites, hoping that people have reused their passwords on multiple services.
For example, a determined hacker can crack the weaker encrypted passwords on the list then try the email and password combinations on more critical services like Google, Facebook or banking sites.
List of compromised sites
The sites included in the list are a mishmash of messaging apps, fitness and photography social networking sites, gaming portals and even a DNA family-tree tracing service.
Some of the services, like MyHeritage and MyFitnessPal, have publicly disclosed their data breaches last year, but it’s the first time we’ve heard about the others.
Do you have an account with these services? Here’s a list of the compromised sites:
- Dubsmash (162 million accounts)
- MyFitnessPal (151 million accounts)
- MyHeritage (92 million accounts)
- ShareThis (41 million accounts)
- HauteLook (28 million accounts)
- Animoto (25 million accounts)
- EyeEm (22 million accounts)
- 8fit (20 million accounts)
- Whitepages (18 million accounts)
- Fotolog (16 million accounts)
- 500px (15 million accounts)
- Armor Games (11 million accounts)
- BookMate (8 million accounts)
- CoffeeMeetsBagel (6 million accounts)
- Artsy (1 million accounts)
- DataCamp (700,000 accounts)
If you suspect that your accounts are part of older data leaks, it’s a good time to review all your online credentials. This is a good reason why you should never ever reuse the same password for multiple online services and websites. Click here for new ways to come up with a secure password.
You can also check your email on a service like Have I Been Pwned. This website will check if your email address has been part of a data breach. Note: Google has released its own Chrome password checker tool. Click here to learn how to enable it.
Additionally, if you haven’t done it yet, check your services if they support two-factor authentication (2FA) and enable it. 2FA gives you an extra layer of security that will help keep your accounts safe.
And while you’re at it, better close old accounts that you rarely use. Here’s an online tool that will help you do just that.