One of the biggest issues of the digital age is data theft, we have seen in the recent time that some of the top companies like Facebook and Google have faced the issue of a customer database. As per the recent reports 617 million accounts, hacked websites are reportedly being sold on the dark Web. Belonging to websites and apps like Dubsmash, MyFitnessPal, 500px, and ShareThis, the hacked account information is said to include names, email addresses, and encrypted passwords. Part of the data dump also includes location information, social media authentication tokens, and personal details. After the publication of the
The affected 617 million accounts consist of video messaging application Dubsmash (162 million accounts affected); health apps MyFitnessPal (151 million) and 8fit (20 million); genealogy platform MyHeritage (92 million); content sharing service ShareThis (41 million); Nordstrom’s member-only shopping website HauteLook (28 million); cloud-based video creation service Animoto (25 million); photography sites EyeEm (22 million), Fotolog (16 million) and 500px (15 million); online directory Whitepages (18 million); game portal website Armor Games (11 million); e-book subscription service BookMate (8 million); dating site CoffeeMeetsBagel (6 million), art appreciation website Artsy (1 million); and online learning platform DataCamp (700,000).
According to The Register, MyFitnessPal, Animoto,
Compromised data primarily consists of individuals’ names, email addresses and hashed or encrypted passwords. But depending on the website, other lifted information includes usernames, IP addresses, birthdays, locations, countries, language, interests, account creation dates and security questions and answers. Presumably, cybercriminals who engage in spamming and credential stuffing campaigns would be able to make use of this information.
“Leaked credentials leave people vulnerable to account hijacking across all services where they recycle their usernames and passwords,” said Anurag Kahol, CTO and founder of Bitglass. Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless password habits.”
Stephan Chenette, CTO and co-founder of AttackIQ, agreed, noting, “It is quite common for people to reuse the same login credentials for accounts across a wide range of services in different industries including the financial, healthcare, retail and education verticals. If a malicious actor was able to obtain the email address and crack a hashed password for just one of these accounts, they could potentially gain access to multiple accounts with sensitive information.”
Reportedly, the seller has set the value of the entire 617 million accounts data set at approximately $
“The bulk of these credentials were acquired from data breaches that occurred during 2018, meaning that the companies affected, such as Dubsmash, may face fines up to four percent of annual global turnover or €20 million under GDPR for compromising the information of EU citizens,” said Jonathan Bensen, interim CISO at Balbix. “What is concerning is that several breached sites failed to disclose these attacks, demonstrating that the companies either were unaware or decided to not reveal the incidents.”