A dark web marketplace is where one can buy all sorts of illegal stuff including drugs, fake id cards and weapons. Lately, these marketplaces have become the best place for hackers and cyber criminals to sell databases stolen from Internet giants.
A vendor going by the handle of “SunTzu583” is selling millions of Gmail and Yahoo accounts on a dark web marketplace. The listing was published this week and shows SunTzu583 is selling 100,000 Yahoo accounts acquired from Last.FM breach from 2012, in which 43 million user accounts were exposed and publicly released in September 2016. These accounts contain usernames, emails and their passwords in a plain text format. The price for this listing is only 0.0079 BTC (USD 10.75) probably because the data is already out in public.
Another listing from SunTzu583 shows more 145,000 Yahoo accounts available for sale in 0.0102 BTC (USD 13.75). These accounts also contain usernames, email and their decrypted passwords. According to HackRead’s research, these accounts were taken from two separate breaches including Adobe breach in October 2013, in which 153 million accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text and MySpace breach from 2008, in which 360 million user accounts were stolen and leaked on the dark web in 2016.
Google’s Gmail is known as one of the most secure email service providers, but there is nothing that Google can do when Gmail accounts are stolen due to a third party breach. The data in discussion here is accounts of 500,000 Gmail users being sold on the same marketplace for the price of 0.0219 BTC (USD 28.24). The data contains usernames, emails and their clear text passwords stolen from three breaches including Bitcoin Security Forum breach in September 2014, MySpace breach in 2008, and Tumblr breach in 2013, in which millions of accounts were stolen and leaked online.
Another listing shows the same vendor is selling 450,000 Gmail accounts in 0.0199 BTC (USD 25.74). Just like their other listings these accounts also include emails and their clear text passwords. This listing was apparently compiled with the help of data stolen from Bitcoin Security Forum, Tumblr, Last.fm, 000webhost, Adobe, Dropbox, Flash Flash Revolution, LookBook and Xbox360 ISO breach. It must be noted that all these breaches took places between 2010 to 2016.
Is the data legit?
Although in some cases it is hard to verify if data on the dark web is legit or not but in this case, HackRead checked the data on data breach notification platforms like Hacked-DB and Haveibeenpwned.
Also, we contacted some of the users who have their login credentials mentioned in the sample data and with their permission, we logged into different platforms including MySpace, Dropbox, Tumblr, etc and it turned out that several of them recently changed their passwords and in some cases their accounts were temporarily blocked since they did not change their passwords which highlights the fact that although the data is old yet it poses a massive security threat for victims since it is in clear text format and available altogether at one place.
It is highly recommended that if your account was among the breaches mentioned above and you have not changed your password yet do it right now.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.