The scale of data breaches in today’s world has been illustrated by a new sale on the dark web that is offering buyers the chance to acquire some 620 million login credentials obtained from 16 hacked websites.
Websites to have their users caught up in the data breaches include Dubsmash, which has seen 162 million records compromised, MyFitnessPal (151 million), MyHeritage (92 million) and 500px (15 million), The Register reports.
While some of these sites were already known to have been compromised and warned their users in 2018, this is the first time others have been revealed to have been hacked.
Sample records seen by the publication appear to be legitimate, consisting mostly of account holder names, email addresses and hashed passwords. Some sites also offer other information, such as location, personal details, and social media authentication tokens, but no financial details appear to be included.
As a result, the data would most likely be of interest to criminals looking to commit credential stuffing attacks, where they enter known username and password combinations into a variety of other sites to find one where someone has reused the same details.
While hashed passwords would have to be cracked first, this may not be overly difficult, especially for sites that still use outdated solutions for this. For instance, 500px was noted to have been using the outdated MD5 algorithm to protect its logins, which could allow hackers to break the hashing of weaker passwords.
The seller, who is offering the entire cache for less than $20,000 (£15,500) and is already said to have had at least one buyer, told The Register they have as many as 20 databases of information to offer online, and have acquired roughly a billion account details in total.
It is therefore another reminder to users of the importance of following basic security best practices and not reusing login credentials across multiple sites, as if even one of these suffers a data breach, it could quickly expose many more of an individual’s accounts across the internet.
