The Latest / Data Security News
March 12, 2019
Multiple account database hack attacks resulted in more than 600 million user records being sold on the dark web last month. The illicit database has been taken off sale for now, but the incident highlighted the seriousness of such attacks and the high number of them that occur, some without anyone knowing.
16 companies were involved in the account database hacks, resulting in 620 million user records being put up for sale, all at different prices. For under $20,000 buyers had access to these 620 million records. The information contained within usually amounted to user names, passwords and email addresses. For the most part, passwords seemed to be in encrypted formats.
The databases is of interest to spammers and credential stuffers. If they can decrypt the weaker passwords, there is potential to expose those affected on other sites they use the same password on. Sites which might hold more information, even financial. These databases had no payment or financial information within them thankfully.
Known breaches like those against MyFitnessPal (150m) and DubSmash (161.5m) made up a number of the contents of the data breach, but many seemed to have data from sites and services unknown to have suffered incidents.
As a result of the account database hack, several services have either reported previously undisclosed breaches (hopefully not) or discovered themselves that they suffered one in the first place, previously unaware. The data from all the companies appears to be legitimate.
Armor Games for example, whose business is rooted in browser-based games, confirmed that every single user of its service was hit in the breach. It said:
“Armor Games sincerely apologies for the inconvenience and concern this incident may cause, and remains committed to safeguarding the personal information in its care.”
11 million users were affected just looking at Armor, with their profile data all stolen. That included: usernames, email addresses, IP addresses, and hashed passwords, plus information about its password protection processes at the time.
We’ve seen many times before, that one of the biggest challenges when getting hacked, is just knowing it is happening. Organizations need the tools and solutions to help them detect intrusions in the first place, before they can even think about fighting them off.
Appearing in this mega database of hacks was likely a very unpleasant way for some companies to discover they had been breached.