617 Million+ account details from data breaches posted for sale on dark web

Axe · Feb 22, 2019

I hadn't seen anything about this, so apologies if old. Received an email from have i been pwned? this morning saying that my details were compromised in a MyFitnessPal breach that occurred last year (143,606,147 accounts affected) and that the data is now up for sale. Upon looking into it further it seems many more sites and apps have been compromised and all of the details are part of this sale too.

The Register — 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.

Engadget — Stolen user data from MyFitnessPal and other services hits the dark web

Most of the passwords are believed to be encrypted and hashed, meaning any buyer will have to crack the encryption to gain access to the accounts. However, because data breaches have become some common, a purchaser could cross-reference email addresses with previous breaches. If a person has reused a password, their account may be compromised. As a precaution, if you've used any of the affected services, it's probably best to change your password.

Everyone who might be affected should check if their accounts have been compromised.

EDIT: Here's an excellent guide on securing your accounts.
https://www.resetera.com/threads/th...-changing-some-passwords.94070/#post-16957658

spindashing · Feb 22, 2019

Well, shit. I got hit. Lastpass got my back, will do what I have to.

TheSkullPrince · Feb 22, 2019

Just changed my MyFitnessPal password

Clefargle · Feb 22, 2019

What's that? 1/10th of the human population roughly? Jesus

Red · Feb 22, 2019

Two of my Gmail accounts were compromised recently, and they both had unique passwords/2FA. I wonder if more reports will come out. I had to change my 500px password back in November because of a breach.

Black_Red · Feb 22, 2019

Damn I had an acount on myfitnesspal and fotolog.

It was an old password, but I dont know if I have used it somewhere else.

F34R · Feb 22, 2019

Sucks for everyone affected. :(
Luckily, I don't have an account with any of those sites.

MagicDoogies · Feb 22, 2019

What's interesting in the article is the statement that some of these sites NEVER told their users about a security breach. Imagine now finding out you were compromised through an article where the data was already bought and about to be used.

NekoNeko · Feb 22, 2019

At this point i just assume that everyone who really wants can get into my accounts. I'm making sure that it doesn't matter all that much.

Etrian Oddity · Feb 22, 2019

Great spot OP, thanks. I used MFP back in the day.

MagicDoogies said:
What's interesting in the article is the statement that some of these sites NEVER told their users about a security breach. Imagine now finding out you were compromised through an article where the data was already bought and about to be used.

This is the real horseshit that needs legislation, the negligence in aftermaths.

Donos · Feb 22, 2019

Dipro said:
At this point i just assume that everyone who really wants can get into my accounts. I'm making sure that it doesn't matter all that much.

Really, just use Lastpass, KeePass or whatever password manager fits you and generate some random big ass passwords for each site. The programs all have mobile aps so you have all passes with you all the time.

Work collegaue has the same password for everything (that something i would not tell out loud btw). I tried to reason with him and told him about breaches but he doesn't care.

PeskyToaster · Feb 22, 2019

It's BS that companies have put the password security onus on customers.

Deleted member 8118 · Feb 22, 2019

A few years ago, I went through all of my old accounts and started erasing them and changing passwords.

It doesn't make sense for many of us to have so many accounts. I haven't even used some in years.

NekoNeko · Feb 22, 2019

Donos said:
Really, just use Lastpass, KeePass or whatever password manager fits you and generate some random big ass passwords for each site. The programs all have mobile aps so you have all passes with you all the time.

Work collegaue has the same password for everything (that something i would not tell out loud btw). I tried to reason with him and told him about breaches but he doesn't care.

i do use that for the most important sites but for everything else it's too big of a hassle for me.

Hulohot · Feb 22, 2019

Bitcoin isn't anonymous. They'll get caught.

Donos · Feb 22, 2019

Dipro said:
i do use that for the most important sites but for everything else it's too big of a hassle for me.

With the apps on my smartphone (KeePass), it works pretty fast so i don't mind. Breaches are getting more and more so i don't risk it. Only a couple sites i use still have "normal" passwords which i have memorised but they all have 2FA via sms or Google Authenticator and are still unique only for this site.

Deleted member 18742 · Feb 22, 2019

So I have been "pwned on 1 breached site and found no pastes".

Should I change my passwords or something?

Deleted member 21431 · Feb 22, 2019

Those advocating password managers please note they are insecure:

https://bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/

StarStorm · Feb 22, 2019

Luckily I don't have an account with any of those sites.

RexNovis · Feb 22, 2019

To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it's relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders

So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you'll be as secure as you possibly could be.

Robochimp · Feb 22, 2019

I've only ever used Facebook login to access MyFitnessPal, while my email address is listed on haveIbeenpwned for this breech, there shouldn't be a password in MyFitnessPal's database right?

Joni · Feb 22, 2019

Tommolb said:
Those advocating password managers please note they are insecure:

https://bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/

Sure, but you do have to get it of my computer if you want it.

RexNovis · Feb 22, 2019

Robochimp said:
I've only ever used Facebook login to access MyFitnessPal, while my email address is listed on haveIbeenpwned for this breech, there shouldn't be a password in MyFitnessPal's database right?

Uncertain. They may have a hashed record of your Facebook password stored. Try putting your face book password into the pwned password link to make sure. Even if it lists it as not owned I'd reccomend updating it to be safe

Robochimp · Feb 22, 2019

RexNovis said:
Uncertain. They may have a hashed record of your Facebook password stored. Try putting your face book password into the pwned password link to make sure. Even if it lists it as not owned I'd reccomend updating it to be safe

Ok, the password is not pwned, they must just get an authorization token from Facebook.

RexNovis · Feb 22, 2019

Robochimp said:
Ok, the password is not pwned, they must just get an authorization token from Facebook.

Good! Like I said I'd change your password just to be safe. Take the opportunity to make a more secure one using the tips I posted above. It might just keep your account safe in the future.

Robochimp · Feb 22, 2019

RexNovis said:
Good! Like I said I'd change your password just to be safe. Take the opportunity to make a more secure one using the tips I posted above. It might just keep your account safe in the future.

I'm not worried, it's a long complicated one use password created by my iPhone, and I have 2FA on.

ManEater · Feb 22, 2019

Yep, I'm hit, unverified they say, but better safe than sorry, so...

Voyager · Feb 22, 2019

I used myfitness pal, can't remember the password though... it's been a while.

Dyno · Feb 22, 2019

RexNovis said:
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it's relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders

So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you'll be as secure as you possibly could be.

What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place

Box · Feb 22, 2019

Three random words and no overlaps.

TarpitCarnivore · Feb 22, 2019

Tommolb said:
Those advocating password managers please note they are insecure:

https://bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/

This was circulating on HackerNews and some deeper dives went into this. At the level at which this is exposed you're already beyond compromised.

Password managers automatically don't make you safe but this story is a bit of a fear tactic.

TarpitCarnivore · Feb 22, 2019

Dyno said:
What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place

Troy is a renowned security researcher who works for Microsoft. He's not selling shit

RexNovis · Feb 22, 2019

Dyno said:
What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place

Not happening. He specifically does not post these in any searchable way to avoid further compromising passwords. His blog post talking about the password search feature goes into detail about how it works and each password is not stored on the site in any way.

Dyno · Feb 22, 2019

TarpitCarnivore said:
Troy is a renowned security researcher who works for Microsoft. He's not selling shit

That's a bit more reassuring. Ive never used their services since Ive always kinda worried about what happens to the data, but a quick check shows my most important passwords are untouched.

RexNovis said:
Not happening. He specifically does not post these in any searchable way to avoid further compromising passwords. His blog post talking about the password search feature goes into detail about how it works and each password is not stored on the site in any way.

Ah awesome. I won't feel as worried to check my account with them tbh then. Though having said that with my passwords safe I should be all good I guess anyway.

TarpitCarnivore · Feb 22, 2019

So MyFitnessPal and 500px had breaches months ago. Are these new or is someone just trying to make a buck off old breaches? Reselling old breaches is not new and these stories should disclose if these are in fact new.

Edit: Register touches on it but Engadget doesnt

NekoFever · Feb 22, 2019

Dyno said:
What are the chances that site will also sell your password just for checking it? I've always been super dubious of that site in the first place

The site is legitimate. The owner is a Microsoft regional director and security researcher who lectures all over the world.

He wrote a detailed blog post about how the checking feature works. IIRC the service only sees the first few characters of the hash of whatever you input, and all the checking is done in your browser on your end.

SpottieO · Feb 22, 2019

Went ahead and changed my old myfitnesspal password. It was from before I had LastPass so it wasn't as secure as all of my other ones.

Deleted member 19003 · Feb 22, 2019

Red said:
Two of my Gmail accounts were compromised recently, and they both had unique passwords/2FA. I wonder if more reports will come out. I had to change my 500px password back in November because of a breach.

Wow, so how are they getting thru googles 2fa so easily? Are you using a smartphone confirmation?

FaceHugger · Feb 22, 2019

I have two different services I subscribe to that warn me of data breaches that may affect me (along with possible run of the mill identity theft) - one free for reasons, the other I pay for. Given the frequency with which I receive alerts this is not surprising.

Randomly Generated · Feb 22, 2019

It says the MyFitnessPal breach also contains IP addresses — can they do anything with that info?

PositivePolitique · Feb 22, 2019

Tommolb said:
Those advocating password managers please note they are insecure:

https://bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/

Like iCloud?

SegFault · Feb 22, 2019

20k for all this info? Yea it's probably junk people already have otherwise the asking price would be more exorbitant.

Still. Change your passwords use two factor use a password manager etc. be vigilant

Mupod · Feb 22, 2019

A few weeks ago I finally bit the bullet and set up Lastpass for every site I could think of, instead of just a handful. I've used it at work for years and honestly it was kind of shitty until some recent updates. But it's very good at detecting password fields and password changes these days, I see no reason not to use it now. Certainly outweighs the inconvenience of remembering 80+ passwords, but it's also nice seeing posts about major breaches and being able to get all smug about how secure you are.

Tommolb said:
Those advocating password managers please note they are insecure:

https://bit-tech.net/news/tech/software/researchers-warn-of-serious-password-manager-flaws/1/

The degree of access needed here would mean you're pooched anyways.

Inugami · Feb 22, 2019

This is why I have different email addresses and the one I use most often only gets used on websites I don't care if anything happens to (still 2 factor).

Shits crazy. Nothing like having your information stolen because you logged into the forums of places like Rust or EA.

Deleted member 3897 · Feb 22, 2019

Don't have a user on any of the sites mentioned in the article. So Im cool?

Red · Feb 22, 2019

Cas said:
Wow, so how are they getting thru googles 2fa so easily? Are you using a smartphone confirmation?

I am yes, and I'm not sure how the accounts were compromised. No google services seem to be in this bucket of hacks so it's probably unrelated. But I'm curious about how it happened.

Deleted member 1088 · Feb 22, 2019

RexNovis said:
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it's relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders

So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you'll be as secure as you possibly could be.

That's not more secure, I can easily crack that with a dictionary attack. Please stop posting false information.

The point of those passwords is to limit what a brute force attack can do as they check for every combination. Against a rainbow table any password is fucked. Against a dictionary attack, any words in their dictionaries, combinations, letters replaced with numbers or symbols etc, are vulnerable.

The point is to make separate passwords for each site and accept that they'll likely be cracked eventually, and change it. You saying that password combination is the most secure is incredibly irresponsible and only adds to the danger of leaked information.

Hollywood Duo · Feb 22, 2019

RexNovis said:
To check to see if your passwords were compromised you should use this link

https://haveibeenpwned.com/Passwords

Input your password and it will tell you if it has been a part of any leaks. The passwords you input are not stored in any fashion and are searched using a secure hash system so it's relatively safe.

I would actually suggest using unique passwords of your own making for every account and keeping a physical or stop gapped record of them for reference. The most secure passwords are generally just strings of random words out together to create something like

TaffyGritSuspenders

So just come up with some random words and put them together. I find that the more random and bizarre they are the easier it actually is to remember these passwords. You can then alter it to include numerals or symbols if needed. Only use each password with a single account online. Never use the same words or phrases across multiple passwords and you'll be as secure as you possibly could be.

No offense to you but I'm not putting my passwords in to some random website.

phonicjoy · Feb 22, 2019

Hollywood Duo said:
No offense to you but I'm not putting my passwords in to some random website.

Its been posted 3 times now that this is a good resource and anything but random.

Alternatively, use 1Password, which has integrated these lists into the app and scans for compromised passwords.

ConanEd · Feb 22, 2019

I switch to both LastPass and BitWarden recently and changed most of my passwords. Still evaluating both and can't say which one is better.

617 Million+ account details from data breaches posted for sale on dark web

One Winged Slayer

User requested account closure

User requested account closure

User requested account closure

User requested account closure

User requested account closure

Alt account