There’s an underground web where criminals meet to conduct business. And much of the business they conduct involves buying and selling our personal information.
An article from the Bleeping Computer reported that 127 million records were stolen from eight companies and were posted for sale on a site called Dream Market. The seller, “gnosticplayers,” was asking $14,500 for the data trove.
Unfortunately, this is an all too common occurrence. A few days earlier 620 million records were on sale for $20,0000. They were said to have been stolen from 16 other companies. In both cases buyers were required to pay in bitcoin to avoid detection.
In each case, the seller was able to sell his list multiple times to many buyers but often chose to limit the number of sales so that the lists retain their value and are not diluted. Apparently, even data thieves have a code of standards.
According to Bleeping Computer, “Dream Market is a dark web market which went online in November 2013 and provides anonymous access to illegal items and services, ranging from drugs and malicious tools to weapons and stolen user data readily packaged for further exploitation.”
This time, eight sets of user records were put up for sale. The records range in size from 450,000 to 162 million. Information offered varies by the site that was hacked, but can include passwords and usernames, full name, IP address, email address, passport numbers, credit card numbers, and other information.
The Register identified where these records came from. Some of them are Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000). Other sites include PetFlow, Houzz, and YouNow.
According to the article, only two of the sites (the online dating app Coffee Meets Bagel and home improvement site Houzz) confirmed that their data had been breached. None of the others would admit that their data had been stolen.
For example, YouNow, one of the companies whose data was found to be for sale, said, “Our security experts have investigated the claim that YouNow was hacked, and can definitively confirm that information on YouNow users’ passwords and credit cards was not compromised in any sort of data breach.”
PetFlow said, “ Thanks for reaching out to us. To our knowledge, we’ve never been breached. Our information is secure and has not been hacked. If you have more information I would be happy to look into this further for you though. Let us know if there’s anything else we can assist with.”
Apparently, not only is all of this stolen data for sale, but most of the companies are totally unaware that their sites have been compromised.