Hacker selling 368m users records stolen from 26 companies