Anatomy of a Breach

Anatomy of a Breach: 620 Million Accounts from 16 Hacked Sites — The Dark Web Supermarket

> series: anatomy_of_a_breach —— part: 122 —— seller: gnosticplayers —— accounts: 620,000,000 —— price: <$20,000<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2019 12 min read
data-breach gnosticplayers 620-million dark-web credential-sales dubsmash myheritage series
Breach #122

620 million accounts. 16 companies. For sale for less than $20,000.

In February 2019, a hacker using the alias 'gnosticplayers' listed 620 million account records from 16 different websites for sale on the Dream Market dark web marketplace. The combined price for all 620 million records was less than $20,000 in Bitcoin. The affected companies included Dubsmash (162M accounts), MyFitnessPal/Under Armour (150M), MyHeritage (92M), ShareThis (41M), Animoto (25M), EyeEm (22M), 8fit (20M), Whitepages (18M), and eight others.

Within weeks, gnosticplayers released additional batches — ultimately offering over 1 billion accounts from 44 companies. The sales demonstrated the complete industrialisation of breach data commerce: a single individual could compromise dozens of companies, aggregate the data, and sell it as a commodity product on a dark web marketplace — with prices so low that the barrier to acquiring mass credential datasets was effectively zero. Combined with Collection #1's 2.2 billion aggregated credentials from the previous month, the first two months of 2019 had flooded the criminal marketplace with credential data at a scale that dwarfed everything that came before.

The Economics
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A billion credentials. Cheaper than a used car.

Credentials as Commodity
At less than $20,000 for 620 million records — $0.000032 per record — the price of stolen credentials had fallen to effectively zero. This means that the economic barrier to credential-stuffing attacks has been eliminated. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA because the cost of acquiring your users' passwords is now negligible.
One Hacker, 44 Companies
Gnosticplayers demonstrated that a single skilled individual can compromise dozens of companies and sell the data as a side business. The 'lone wolf' threat model remains relevant even as organised ransomware gangs dominate headlines. Our <a href="/penetration-testing/web-application">web application testing</a> finds the vulnerabilities that individual hackers exploit.
Password Storage Varied Wildly
Some of the 16 breached companies used bcrypt (good), others used SHA-1 or SHA-256 without salt (poor), and some used MD5 (catastrophic). The variability in password storage across the internet means that some fraction of any credential dump will contain easily crackable passwords. Our <a href="/penetration-testing/web-application">application testing</a> verifies password storage.
Dark Web Monitoring Is Essential
<a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when your organisation's credentials appear in dark web marketplaces — enabling forced password resets before the credentials are weaponised in credential-stuffing attacks.
Defence

When credentials cost nothing, only MFA has value.

The gnosticplayers dumps, combined with Collection #1, established that credential data is now effectively free. The only security control that retains value when passwords are a commodity is MFA — making stolen credentials worthless without the second factor. Cyber Essentials Danzell mandates MFA. SOC in a Box monitors for credential exposure and credential-stuffing attempts. Our penetration testing validates authentication controls. And UK Cyber Defence provides incident response when credential compromise is detected.

MFA Is the Only Answer

A billion credentials from one hacker. For $20,000. MFA is the only defence that still works.

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors dark web marketplaces. <a href="/penetration-testing">Penetration testing</a> validates your authentication.

Commission a Security Assessment Next: Norsk Hydro
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 31 May 2016

Anatomy of a Breach: The Mega-Breach Marketplace — Myspace, LinkedIn, and Tumblr Hit the Dark Web

Breach #089. In May 2016, the dark web marketplace exploded with credential datasets of staggering scale: Myspace (360 million accounts), the full LinkedIn dataset (117 million, up from the 6.5 million initially disclosed in 2012), and Tumblr (65 million accounts) — all offered for sale by a hacker known as 'Peace.' Together with earlier dumps, over half a billion credentials were now available for purchase, creating the raw material for the credential-stuffing epidemic that would define the second half of 2016.

data-breach myspace
13 min read
Anatomy of a Breach 30 April 2023

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

Breach #172. In April 2023, Western Digital — one of the world's largest data storage companies — disclosed that attackers had breached its network and stolen approximately 10 terabytes of internal data. The breach forced Western Digital to take its My Cloud consumer cloud storage service offline for approximately two weeks, locking millions of users out of their personal data. The attackers — a group calling themselves ALPHV/BlackCat — published screenshots of internal emails, videoconference screenshots, and evidence of access to Western Digital's SAP backend and internal tools. A company whose entire business is storing and protecting data could not protect its own.

data-breach western-digital
12 min read
All Posts Get in Touch