Credential Stuffing Scammer Lists 620 Million Records on the Dark Web

Credential stuffing scams are becoming more prevalent and companies are increasingly seeing their customers accounts hacked. In the past three months, Dunkin’ Donuts has twice been a victim of the scam which uses usernames and passwords found on the internet to access customers accounts. It now seems that 617 million of these records are now allegedly up for sale on the Dark Web.

Affected Websites

According to the website The Register, a seller on a Dark Web marketplace called Dream Market has been offering these stolen databases since Monday. The accounts allegedly affect the following sites:

  • Dubsmash: 162 million
  • MyFitnessPal: 151 million
  • MyHeritage: 92 million
  • Share This: 41 million
  • HauteLook: 28 million
  • Animoto: 25 million
  • EyeEm: 22 million
  • 8fit: 20 million
  • Whitepages: 18 million
  • Fotolog: 16 million
  • 500px: 15 million
  • Armor Games: 11 million
  • BookMate: 8 million
  • CoffeeMeetsBagel: 6 million
  • Artsy: 1 million
  • DataCamp: 700,000

The Register contacted all of these sites to inform them of this list. Many of the sites are photography and fitness orientated. Some of the sites have previously reported breaches, others said they needed to check their IT and legal teams about the alleged breaches.

Account Data

In cases such as Dubsmash, it appears username, password, email address and in some cases first and last names were taken as part of the record.

New York City-based Dubsmash has hired a law firm Lewis Brisbois to look into the online sale. They stated that:

“Our office has been retained to assist Dubsmash in this matter. Thank you for your alert. We immediately launched an investigation. We plan to notify any and all individuals as appropriate. Again, thank you for bringing this to our attention.”

Dark Web Seller

The seller who has these records for sale on The Dark Web told The Register that the Dubsmash data was bought by at least one person.

This seller claims to have been the hacker who used credential stuffing to extract the databases, each of which is being sold separately.

The seller has also claimed that they have as many as 20 databases and that some of them they are keeping for themselves for private use.

In a statement, the hacker stated:

“I don’t think I am deeply evil. I need the money. I need the leaks to be disclosed. Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

It is advised to keep changing passwords and to make them difficult to guess. Keeping each password unique to each site is also a good way to prevent credential stuffing attacks across other websites.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients