Hacker that stole 620 million account credentials last year stole 127 million more
In addition to stealing the credentials both this year and last year, the hacker has posted offers for the stolen databases with confidential account information across multiple sites on the dark web for $14,500 USD worth of Bitcoin.
The pilfered databases and amount of accounts stolen from each come from the following sites and services, in order from most accounts to least accounts stolen:
• Dubsmash (162 million) • MyFitnessPal (151 million) • MyHeritage (92 million) • Houzz Pro (57 million) • ShareThis (41 million) • YouNow had 40 million • HauteLook (28 million) • Animoto (25 million) • EyeEm (22 million) • 8fit (20 million) • Whitepages (provider of Whitepages Caller ID & Block, 18 million) • Ixigo Cabs App (18 million) • Fotolog (16 million) • 500px (15 million, see our coverage from last night) • Armor Games (11 million) • Bookmate (8 million) • Coffee Meets Bagel (6 million) • Stronghold Kingdoms (5 million) • Roll20 (4 million) • ge.tt (1.8 million) • Artsy (1 million) • Petflow (1 million) • DataCamp (700,000) • Coinmama (450,000)
All in all, 24 websites and services had a total of nearly 747 million account credentials stolen. This is an unprecedented occurrence in terms of the sheer scale of data stolen and sold on the dark web. Despite this, the data included in these databases is relatively standard, consisting of account names, email addresses, and hashed passwords that need to be cracked before they're of any use to account hijackers. Of course, that's only for websites that elect to use encryption for their account databases. According to a report by TechCrunch, Ixigo Cabs App and PetFlow (along with 500px from the prior account database theft), these passwords are only hashed using the MD5 algorithm. Even worse, YouNow does not scramble user passwords in any way.
Remember to always stay vigilant and follow some account security best practices, such as using a password manager like LastPass or KeePass and using a password and account monitoring service such as Have I Been Pwned or Google's newly released Password Checkup. Security is almost always worth the extra effort to implement, especially when it comes to services with vital data.
Further coverage: The Register TechCrunch Engadget