A hacker that posted 620 million individual’s data for sale earlier this week on the Dark Net marketplace “Dream Market” has now added the private data of an additional 127 million people, including 450 000 users of the Israel-based crypto exchange, Coinmama, TechCrunch reports.
The first batch of data, which was reportedly stolen last year from 16 companies, including MyFitnessPal and Animoto (151 million records and 25 million records respectively), can be picked up for around $20 000 USD.
MyFtinessPal and Animoto were reportedly aware and had disclosed that they had been breached, but the data set also includes records from 500px and Coffee Meets Bagel, two companies that have reportedly not previously disclosed breaches of user data.
Data disclosed in the first batch includes names, email addresses, scrambled passwords and, in some cases, additional login and account data.
The newest batch of hacked data is posted by the same hacker or illegal data broker, and includes records from the following eight firms:
- Ixigo (travel booking site): 18 million records stolen
- YouNow (live-video streaming site): 40 million records stolen
- Houzz (recently disclosed a data breach): 57 million records stolen
- Ge.tt: 1.8 million accounts stolen
- Coinmama (crypto exchange): 450,000 records
- Roll20 (gaming site): 4 million records stolen
- Stronghold Kingdoms (multiplayer online game): 5 million records stolen
- PetFlow (pet care delivery service): 1 million records
Data for Houzz, “a website and online community about architecture, interior design and decorating, landscape design and home improvement…founded in 2009 and…based in Palo Alto,” for example, can be purchased for 2.909 bitcoins ($10 400 USD).
A research team leader from the Isreali cybersecurity firm IntSights, Ariel Ainhoren, told TechCrunch in an email that the hacker may have exploited a flaw in PostgreSQL database software used on 6 of the 16 hacked sites:
“We’re still analyzing it, but it could have been that he used some kind of vulnerability that surfaced around that time and wasn’t patched by these companies or a totally new unknown vulnerability.”
Ainhoren added that certain clues suggest the seller was wholesaling date he or she hacked directly:
“As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it.”
A contributor to the PostgreSQL open-source project, Jonathan Katz, countered-Ainhoren’s claims, however, stating that he is, “currently unaware of any patched or unpatched vulnerabilities that could have caused these breaches.”
Katz added that the project has a “dedicated security team”:
“When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”
Experts have stated that stolen data may not be exploited for some time, but that does not mean it will not be.
Data hygiene should be practiced by all. Unused site accounts should be closed, passwords should be long, should be changed regularly and should generally be stored offline and not in browsers.