Dark web data dump sees 620 million accounts from hacked websites go on sale

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Cyber criminals have placed 617 million hacked accounts for sale on the dark web, stemming from 16 separate data breaches.

The databases are listed on the dark web marketplace Dream Market, alongside drugs, weapons and other illicit items.

Hacked websites listed include MyFitnessPal, MyHeritage and Animoto – all of which were known to have been compromised.

Other sites, such as the photography network 500px, had not previously reported a breach to its security.

Depending on the breach, stolen data may include email addresses, passwords, location and other personal details.

Listings for the hacked accounts on Dream Market were first reported by The Register and have since been confirmed by The Independent.

The data troves are listed individually on the popular dark web marketplace, each sold by the same vendor. The seller, who goes by the name 'gnosticplayers', joined the Dream Market on 6 February and currently has a five star rating, though this comes from a single buyer.

"Feel free to message me here on Dream Market to tell me what kind of data you're searching (crypto, gaming, or huge data sets", and I will list it here for sale right after," Gnosticplayers' profile states.

"Since I have a huge reserve of fresh data, I probably have what you need. If the data does not correspond to what the breach information specifies, do an escrow dispute. However, carefully read the listing of what you'll receive because if you purchase it you agree to receive the specified data."

Cyber security experts have warned that the scale of the breach could drive a significant change in public sentiment towards security, especially considering that many of the listings were from previously undisclosed data breaches.

“A number of the breached sites failed to disclose the attacks, indicating that they weren’t aware of the hack, or opted not to reveal it, and thus could fall foul of GDPR and be subject to serious fines. Either way, it’s likely to be concerning for consumers, who will bear the brunt of the attacks," Ilkka Turunen, global director at software firm Sonatype, told The Independent.

“Compounding this is the fact that the breaches may have been preventable. The hacker stated they exploited security vulnerabilities in web apps and website code – from a software perspective, such vulnerabilities are easy to fix. Yet despite this, companies negate to do so... As consumer awareness increases, they are likely to become much less tolerant of those companies who fail to implement proper security when they have the tools available to do so.”

Other security researchers said that people should beware of their accounts being compromised, even if they no longer use any of the sites or services caught up in the latest list of data breaches.

The tendency to reuse the same email addresses and passwords across multiple platforms mean hackers can use the credentials to break into other online accounts.

Gavin Millard, who works at cyber security firm Tenable, advised people to check whether their emails have been compromised by checking it on the Have I Been Pwned website, which collates major data breaches.

"Of course, the best way to avoid credential stuffing attacks is to always create unique email and password combinations for every account," Mr Millard told The Independent.

"Doing this manually is untenable hence good practice is to always use a password manager that can create and store complex passwords, and even alert users to compromised passwords found in data breaches."