Debit and credit card details stolen from almost 85,000 unsuspecting Brits are available to buy online in a “brazen” criminal database.
For a $20 (£14) registration fee, anyone can access the numbers, expiration dates and names on more than a million cards around the world, alongside the names, addresses and even phone numbers of their owners.
The existence of Bestvalid.cc was first revealed by The Times, who alerted the National Crime Agency and MPs, but it was still online on Saturday.
After registering with a gibberish username and password, the Independent was able to access the database within minutes.
The website looks like any other business, complete with a FAQs page, rules, terms of service and “news”, although its products are far from normal.
Users can choose cards by country, bank, name, expiration date, city and even postcode for miniscule prices that “correspond to the material quality” (sic) according to the website.
A quick scan of the countries on offer included nations as diverse as the US, China, Greece, Argentina, India, Taiwan, Denmark, the Bahamas, Australia and Zimbabwe.
A search for the United Kingdom revealed 84,570 results - 78,318 debit, 6,239 credit and a handful of charge cards.
Barclays, Nationwide and Natwest were among the popular banks listed in packages of stolen information mostly costing between $7 (£5) and $9 (£6) each.
The Times found details belonging to a former senior adviser to the Queen as well as from doctors, lawyers, bankers and other professionals on the database.
With the permission of one of the victims, Laia Humbert-Vidan, the newspaper purchased her stolen information using bitcoin.
The radiotherapy physicist, from London, said that she felt violated after seeing her private details appear on Bestvalid.
“I don’t feel like the police are able to protect anyone from online fraud,” she added. “If they were, these types of sites would not exist in the first place.”
The website is believed to have been operating since June last year, despite the Government’s continuing fight against online fraud and investigations into the Carphone Warehouse and TalkTalk hacks, which have seen five suspects arrested so far.
The .cc domain is the country code for the Cocos Islands, an Australian territory in the Indian Ocean with just 600 inhabitants. It is reportedly used by several cycling clubs, Catholic and Christian churches because of the letters' associations, as well as in contested "Turkish Republic of Northern Cyprus".
Daniel Cuthbert, the chief operating officer of information security firm Sensepost, told The Times that Bestvalid was one of the biggest sites of its kind.
“Most illegal card emporiums are on the dark web, or they require a customer to be vetted or pay a fee to enter,” he added.
“What’s interesting about Bestvalid is that they’ve decided to operate on the open web…It’s completely brazen.”
A spokesperson for the NCA, which is responsible for fighting cyber crime and fraud in the UK, told the Independent he could not confirm whether the site was under investigation.
“The NCA, alongside UK and international law enforcement partners and the private sector, are working to identify and as appropriate disrupt websites selling compromised card data,” he said.
“We will work closely with partners of the newly established Home Office Joint Fraud Task Force to strengthen the response.
“This may include the provision of information to the appropriate authorities of countries hosting the server.
“As part of a prevention approach, alerts to financial institutions providing the details of compromised cards will be considered.”
Anyone who believes they are a victim should report to Action Fraud by going to its website here.