Almost 620 million accounts gathered from 16 different websites are available for sale on the dark web
- The list of websites to which the leaked accounts belong, includes the likes of Dubsmash, MyFitnessPal, MyHeritage, Animoto, 8fit, and 500px.
- Data compromised in the hack includes account holder names, email addresses and hashed passwords.
A trove of data stolen from 16 different websites is available for sale on the dark web. The data is available on the popular Dream Market forum for less than $20,000 worth of Bitcoin.
Name of the websites compromised
Some 617 million online account details have been estimated to be stolen from the 16 websites.
The list of websites to which the leaked accounts belong, includes Dubsmash, MyFitnessPal, MyHeritage, Animoto, 8fit, 500px, Armor Games, CoffeeMeetsBagel and Artsy. The highest number of records were stolen from Dubsmash, recording a total of 162 million.
Type of information compromised
Data compromised in the hack includes account holder names, email addresses and hashed passwords. The Register pointed out that few of these websites revealed information such as personal details and social media authentication tokens of users. The data does not include financial information.
While some of these websites have suffered repeated breaches, there are a few that suffered the data breach for the first time. The records were breached mostly during 2018.
Spokespersons from MyHeritage and 500px confirmed the authenticity of the data. 500px also confirmed about its users’ data being stolen and put for sale.
According to The Register, all of the databases are being sold by one hacker, who claims to have exploited security vulnerabilities within web apps to gain remote code execution and then extracted user account data.
In the wake of the incident, 500px has started notifying its users that the site was hacked. In addition, it has planned to reset everyone’s passwords.
“We are currently working on notifying our entire user base, however, given the number of users affected, this task will span one day at minimum. We’ve taken every precaution to ensure our users' data is safe. A system-wide password reset is currently underway for all users, prioritized in order of accounts with the highest potential risk, and we have already forced a reset of all MD5-encrypted passwords,” spokesperson Stephanie Newell told The Register.