‘Gnosticplayers’ is now selling another 26 million user records on the Dark Web

• Gnosticplayers had earlier exposed more than 840 million user records during the month of February.
• This is the fourth time the attacker has put a trove of sensitive information out in the open.

Gnosticplayers, the infamous hacker who exposed and sold millions of user records in early 2019, has yet again come out with a new batch of user records for sale. This fresh wave of user data dump contains over 26 million records which belong to customers of six companies across the world.

Worth noting

• According to ZDNet, the six companies impacted are GameSalad, Estante Virtual, Coubic, LifeBear, Bukalapak, and YouthManual.
• The largest number of user records (13.2 million) leaked was from Bukalapak, an Indonesian e-commerce company, while the smallest portion (1.12 million) of the dump was from YouthManual, a website aimed to help Indonesian students in their career.
• GameSalad, Estante Virtual, Coubic, and LifeBear each leaked 1.5, 5.45, 1.5 and 3.86 million records respectively.
• Gnosticplayers cites poor security implementations by these companies as the reason for their breaches.

Why it matters - This is the fourth in a series of user record dumps put up for sale by the same individual. The first batch contained 620 million user records, while the second and third batches contained 127 million and 93 million records respectively.

Though the data released by the hacker mostly contains records from previous breaches, the combined sale of such a large amount of data means other cybercriminals could leverage it for future credential stuffing attacks, leading to further damage. Interestingly, the hacker claims that he has sold only a portion of the data in his possession.

Moreover, Gnosticplayers told ZDNet, “I came to an agreement with some companies, but the concerned startups won't see their data for sale. I did it that's why I can't publish the rest of my databases or even name them.”

Although this time it was comparatively smaller in scale compared to three previous batches, this is a tell-tale sign of how many companies fail to implement rigid security measures when it comes to protecting vast amounts of user data.