Hackers dump sensitive info from 617 million accounts: Dubsmash, 15 other sites exposed

hack
Reuters

These are tough times to live in as we want to be digitally omnipresent at the same time avoid being hacked. While several incidents of cyber-heists are reported every other day, a new one has exposed millions of accounts from popular websites people have popularly used in their life.

According to The Register, sensitive information from 617 million accounts sourced from 16 websites has been dumped on the dark web for anyone with the financial means to grab. The affected websites include some of the popular ones such as Dubsmash, MyFitnessPal, ShareThis, 500px and others.

Dubsmash had the highest number of user accounts, 162 million to be precise, that were exposed in the hack, followed by MyFitnessPal, which had 151 million account details leaked. Below is the complete list of websites and the number of accounts that have been hacked.

Websites hackedNumber of accounts affected
Dubsmash162 million
MyFitnessPal151 million
MyHeritage92 million
ShareThis41 million
HauteLook28 million
Animoto25 million
EyeEm22 million
8fit20 million
Whitepages18 million
Fotolog16 million
500px15 million
Armor Games11 million
BookMate8 million
CoffeeMeetsBagel6 million
Artsy1 million
DataCamp700,000

This is one of the largest data breaches this year and The Register reported that the seller was asking for less than $20,000 in Bitcoin for the stolen data. The data was spotted on a black site called The Dream Market, and the samples appeared legit. The stolen information from the 16 sites included account holder names, email addresses and passwords.

It appears the passwords were hashed or encrypted, which means they needed to be cracked before being exploited. But if users have the habit of reusing passwords across various websites, it is important to change the login credentials immediately. Some of the affected websites, such as 500px and EyeEm are informing users to reset their passwords.

"It is quite common for people to reuse the same login credentials for accounts across a wide range of services in different industries including the financial, healthcare, retail and education verticals. If a malicious actor was able to obtain the email address and crack a hashed password for just one of these accounts, they could potentially gain access to multiple accounts with sensitive information," Stephan Chenette, CTO and co-founder of AttackIQ, told SC Magazine.

Various sites store various sorts of information depending on the service that is offered to users and some of them exposed users' location, personal details and social media authentication tokens.

Also, users who think they have been a victim of a cyberattack can check if their password is safe or needs to be changed on haveibeenpwned website.

READ MORE