Anti Public Combo List with Billions of Accounts Goes on Dark Web for Sale

A couple of days ago it was reported that Troy Hunt, a cyber security blogger got his hands on a trove of data that was compiled by cyber criminals through brute force technique and some collected from previous data breaches.

The data Hunt discovered was in two lists with one list containing 457,962,538 accounts while the second one from Exploit.in containing 593,427,119 accounts. Now, it has emerged that in two different listings, two vendors going by the online handles of “wildfruit2” and “dbworld” are selling 457,962,538 accounts from anti-public combo list on a popular Dark Web marketplace. Both listings contain email addresses and clear text passwords of users around the world.

The price for wildfruit2’s listings is USD 230.63 (BTC 0.1451) whereas dbworld’s list is being sold in  USD 249.63 (BTC 0.1571). Here’s a screenshot from the Dark Web market where data is being sold:

Here, it must be noted that both vendors provided HackRead with sample data and upon scanning the sample credentials on Have I been pwned (HIBP), we can confirm that both vendors are selling legit data. Here’s a screenshot from HIBP showing the sample accounts are part of the combo list:

HIBP Screenshot

However, the nightmare doesn’t end here. Upon further research, we found out that “wildfruit2” is also selling 800 million accounts from Exploit.In combo list for just USD 15.63 (BTC 0.0095). The list contains unique emails and their clear text password of users around the world. It can be said that both lists discovered by Hunt are now being sold on the Dark Web posing yet another massive security and privacy threat for users. The total number of accounts sold by “wildfruit2” is 1,257,962,538.

Exploit.in list

What should users do?

We live in an era where a large-scale data breach is not big news anymore. Thanks to cyber criminals behind VerticalScope, MySpace, LinkedIn, Twitter, Dropbox, YahooTumblr and Adobe Systems breaches but users need to understand that their privacy is at risk like never before therefore they should change their passwords on all platforms before it’s too late. Also, make sure not to use the same password on all platform, use a reliable password manager for a secure password and keep changing your password now and then.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.