617 Million+ account details from data breaches posted for sale on dark web

Axe

Member
Oct 27, 2017
1,108
United Kingdom
I hadn't seen anything about this, so apologies if old. Received an email from have i been pwned? this morning saying that my details were compromised in a MyFitnessPal breach that occurred last year (143,606,147 accounts affected) and that the data is now up for sale. Upon looking into it further it seems many more sites and apps have been compromised and all of the details are part of this sale too.

The Register — 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts
Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.
Engadget — Stolen user data from MyFitnessPal and other services hits the dark web
Most of the passwords are believed to be encrypted and hashed, meaning any buyer will have to crack the encryption to gain access to the accounts. However, because data breaches have become some common, a purchaser could cross-reference email addresses with previous breaches. If a person has reused a password, their account may be compromised. As a precaution, if you've used any of the affected services, it's probably best to change your password.
Everyone who might be affected should check if their accounts have been compromised.

EDIT: Here's an excellent guide on securing your accounts.
https://www.resetera.com/threads/the-773-million-record-collection-1-data-breach-i-suggest-changing-some-passwords.94070/#post-16957658
 
Last edited:

Red

Member
Oct 26, 2017
2,048
Two of my Gmail accounts were compromised recently, and they both had unique passwords/2FA. I wonder if more reports will come out. I had to change my 500px password back in November because of a breach.
 

Black_Red

Member
Oct 27, 2017
2,131
Damn I had an acount on myfitnesspal and fotolog.

It was an old password, but I dont know if I have used it somewhere else.
 

F34R

Member
Oct 27, 2017
4,355
Sucks for everyone affected. :(
Luckily, I don't have an account with any of those sites.
 

MagicDoogies

Member
Oct 31, 2017
656
What's interesting in the article is the statement that some of these sites NEVER told their users about a security breach. Imagine now finding out you were compromised through an article where the data was already bought and about to be used.
 

Farfetch'd

Coward
Oct 26, 2017
4,240
At this point i just assume that everyone who really wants can get into my accounts. I'm making sure that it doesn't matter all that much.
 

Etrian Oddity

Member
Oct 26, 2017
2,389
Great spot OP, thanks. I used MFP back in the day.

What's interesting in the article is the statement that some of these sites NEVER told their users about a security breach. Imagine now finding out you were compromised through an article where the data was already bought and about to be used.
This is the real horseshit that needs legislation, the negligence in aftermaths.
 

Donos

Member
Nov 15, 2017
2,474
At this point i just assume that everyone who really wants can get into my accounts. I'm making sure that it doesn't matter all that much.
Really, just use Lastpass, KeePass or whatever password manager fits you and generate some random big ass passwords for each site. The programs all have mobile aps so you have all passes with you all the time.

Work collegaue has the same password for everything (that something i would not tell out loud btw). I tried to reason with him and told him about breaches but he doesn't care.
 

M52B28

Self-Requested Ban
Banned
Oct 26, 2017
1,794
A few years ago, I went through all of my old accounts and started erasing them and changing passwords.

It doesn't make sense for many of us to have so many accounts. I haven't even used some in years.
 

Farfetch'd

Coward
Oct 26, 2017
4,240
Really, just use Lastpass, KeePass or whatever password manager fits you and generate some random big ass passwords for each site. The programs all have mobile aps so you have all passes with you all the time.

Work collegaue has the same password for everything (that something i would not tell out loud btw). I tried to reason with him and told him about breaches but he doesn't care.
i do use that for the most important sites but for everything else it's too big of a hassle for me.
 

Donos

Member
Nov 15, 2017
2,474
i do use that for the most important sites but for everything else it's too big of a hassle for me.
With the apps on my smartphone (KeePass), it works pretty fast so i don't mind. Breaches are getting more and more so i don't risk it. Only a couple sites i use still have "normal" passwords which i have memorised but they all have 2FA via sms or Google Authenticator and are still unique only for this site.
 

Starset

Member
Oct 27, 2017
2,163
So I have been "pwned on 1 breached site and found no pastes".

Should I change my passwords or something?
 
How to check if your passwords are compromised

RexNovis

Member
Oct 25, 2017
2,332
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it’s relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders
So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you’ll be as secure as you possibly could be.
 

Robochimp

Avenger
Oct 25, 2017
1,220
I’ve only ever used Facebook login to access MyFitnessPal, while my email address is listed on haveIbeenpwned for this breech, there shouldn’t be a password in MyFitnessPal’s database right?
 

RexNovis

Member
Oct 25, 2017
2,332
I’ve only ever used Facebook login to access MyFitnessPal, while my email address is listed on haveIbeenpwned for this breech, there shouldn’t be a password in MyFitnessPal’s database right?
Uncertain. They may have a hashed record of your Facebook password stored. Try putting your face book password into the pwned password link to make sure. Even if it lists it as not owned I’d reccomend updating it to be safe
 

Robochimp

Avenger
Oct 25, 2017
1,220
Uncertain. They may have a hashed record of your Facebook password stored. Try putting your face book password into the pwned password link to make sure. Even if it lists it as not owned I’d reccomend updating it to be safe
Ok, the password is not pwned, they must just get an authorization token from Facebook.
 

Robochimp

Avenger
Oct 25, 2017
1,220
Good! Like I said I’d change your password just to be safe. Take the opportunity to make a more secure one using the tips I posted above. It might just keep your account safe in the future.
I’m not worried, it’s a long complicated one use password created by my iPhone, and I have 2FA on.
 

Dyno

The Fallen
Oct 25, 2017
2,745
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it’s relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders
So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you’ll be as secure as you possibly could be.
What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place
 
Oct 25, 2017
10,099

RexNovis

Member
Oct 25, 2017
2,332
What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place
Not happening. He specifically does not post these in any searchable way to avoid further compromising passwords. His blog post talking about the password search feature goes into detail about how it works and each password is not stored on the site in any way.
 

Dyno

The Fallen
Oct 25, 2017
2,745
Troy is a renowned security researcher who works for Microsoft. He’s not selling shit
That's a bit more reassuring. Ive never used their services since Ive always kinda worried about what happens to the data, but a quick check shows my most important passwords are untouched.

Not happening. He specifically does not post these in any searchable way to avoid further compromising passwords. His blog post talking about the password search feature goes into detail about how it works and each password is not stored on the site in any way.
Ah awesome. I won't feel as worried to check my account with them tbh then. Though having said that with my passwords safe I should be all good I guess anyway.
 
Oct 25, 2017
10,099
So MyFitnessPal and 500px had breaches months ago. Are these new or is someone just trying to make a buck off old breaches? Reselling old breaches is not new and these stories should disclose if these are in fact new.

Edit: Register touches on it but Engadget doesnt
 

NekoFever

Member
Oct 25, 2017
1,653
What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place
The site is legitimate. The owner is a Microsoft regional director and security researcher who lectures all over the world.

He wrote a detailed blog post about how the checking feature works. IIRC the service only sees the first few characters of the hash of whatever you input, and all the checking is done in your browser on your end.
 

SpottieO

Member
Oct 25, 2017
2,440
Went ahead and changed my old myfitnesspal password. It was from before I had LastPass so it wasn’t as secure as all of my other ones.
 

Cas

Avenger
Oct 27, 2017
3,193
Two of my Gmail accounts were compromised recently, and they both had unique passwords/2FA. I wonder if more reports will come out. I had to change my 500px password back in November because of a breach.
Wow, so how are they getting thru googles 2fa so easily? Are you using a smartphone confirmation?
 

FaceHugger

Member
Oct 27, 2017
6,299
I have two different services I subscribe to that warn me of data breaches that may affect me (along with possible run of the mill identity theft) - one free for reasons, the other I pay for. Given the frequency with which I receive alerts this is not surprising.
 

SegFault

Member
Oct 25, 2017
1,939
20k for all this info? Yea it’s probably junk people already have otherwise the asking price would be more exorbitant.

Still. Change your passwords use two factor use a password manager etc. be vigilant
 

Mupod

Member
Oct 25, 2017
2,673
A few weeks ago I finally bit the bullet and set up Lastpass for every site I could think of, instead of just a handful. I've used it at work for years and honestly it was kind of shitty until some recent updates. But it's very good at detecting password fields and password changes these days, I see no reason not to use it now. Certainly outweighs the inconvenience of remembering 80+ passwords, but it's also nice seeing posts about major breaches and being able to get all smug about how secure you are.

The degree of access needed here would mean you're pooched anyways.
 
Last edited:

KojiKnight

Member
Oct 25, 2017
7,639
This is why I have different email addresses and the one I use most often only gets used on websites I don't care if anything happens to (still 2 factor).

Shits crazy. Nothing like having your information stolen because you logged into the forums of places like Rust or EA.
 

Red

Member
Oct 26, 2017
2,048
Wow, so how are they getting thru googles 2fa so easily? Are you using a smartphone confirmation?
I am yes, and I’m not sure how the accounts were compromised. No google services seem to be in this bucket of hacks so it’s probably unrelated. But I’m curious about how it happened.
 

Tall4Life

Member
Oct 25, 2017
4,974
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it’s relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders
So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you’ll be as secure as you possibly could be.
That’s not more secure, I can easily crack that with a dictionary attack. Please stop posting false information.

The point of those passwords is to limit what a brute force attack can do as they check for every combination. Against a rainbow table any password is fucked. Against a dictionary attack, any words in their dictionaries, combinations, letters replaced with numbers or symbols etc, are vulnerable.

The point is to make separate passwords for each site and accept that they’ll likely be cracked eventually, and change it. You saying that password combination is the most secure is incredibly irresponsible and only adds to the danger of leaked information.
 

Hollywood Duo

Member
Oct 25, 2017
14,181
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it’s relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders
So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you’ll be as secure as you possibly could be.
No offense to you but I'm not putting my passwords in to some random website.
 

ConanEd

Member
Dec 27, 2018
574
I switch to both LastPass and BitWarden recently and changed most of my passwords. Still evaluating both and can't say which one is better.