Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Privacy The Almighty Buck The Internet Technology

Hacker Who Stole 620 Million Records Strikes Again, Stealing 127 Million More (techcrunch.com) 35

An anonymous reader quotes a report from TechCrunch: A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned. The hacker, whose listing was the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites -- some that had already been disclosed, like more than 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn't know or hadn't disclosed yet -- such as 500px and Coffee Meets Bagel. The Register, which first reported the story, said the data included names, email addresses and scrambled passwords, and in some cases other login and account data -- though no financial data was included. Now the same hacker has eight additional marketplace entries after their original listings were pulled offline, including:

- 18 million records from travel booking site Ixigo
- Live-video streaming site YouNow had 40 million records stolen
- Houzz, which recently disclosed a data breach, is listed with 57 million records stolen
- Ge.tt had 1.8 million accounts stolen
- 450,000 records from cryptocurrency site Coinmama.
- Roll20, a gaming site, had 4 million records listed
- Stronghold Kingdoms, a multiplayer online game, had 5 million records listed
- 1 million records from pet care delivery service PetFlow
This discussion has been archived. No new comments can be posted.

Hacker Who Stole 620 Million Records Strikes Again, Stealing 127 Million More

Comments Filter:
  • - 1 million records from pet care delivery service PetFlow

    Well, I know what flows from pets and if somebody wants to hack to get that kind of stuff... Power to them.

  • by dryriver ( 1010635 ) on Thursday February 14, 2019 @05:14PM (#58123460)
    If you know enough scripting/IT to hack major websites without being caught, why not write a little software tool that does something legit, sell it on website, and make a living with that? Why not make a powerful website security boosting tool instead of HACKING websites? Would that be worth far less than putting happless people's credit card info and other details on the Dark Web? Unless of course these "hackers" are GOVERNMENT people. Perhaps Russian government people. Hacking Western companies not for itty-bitty money on the Dark Web, but simply to damage and inconvenience Westerners. Seriously, who is so good at hacking, and so poor at legit coding that they cannot make similar money writing something that has a legitimate use? Who are these "lone superhackers" who can go undetected by Western security agencies and just throw struff on the Dark Web? I smell Putin in these supposed "lone hacks".
    • I believe it's because the skills required to hack a lot of websites are actually quite low end and it's mostly just a matter of nobody's trying and nobody's auditing their own network security.

      In theory he best part of hacking is that you Force the world to take data security seriously. In practice these guys release a lot of data that mostly just sits there and has no use to anybody except perhaps the company that piled it up in the first place.

      With the Advent of multi-factor authentication a lot of that

    • by Major_Disorder ( 5019363 ) on Thursday February 14, 2019 @05:38PM (#58123566)
      Because they will produce an amazing tool. Then spend the rest of their lives supporting morons trying to use it. Prison would be better than that hell. :)
    • ...Perhaps Russian government people...I smell Putin in these supposed "lone hacks".

      I can only conclude that you listen to a lot of western propaganda; wherein everything you just can't wrap your head around means >Russia
      The USA's own NSA has a long history of planting code [atlasobscura.com], and at time hacking enemies and allies.

    • Perhaps the hacker doen't live in an ecosystem where opportunities abound. Also, the hacking skill set may not be broad enough to extend to all of the talents required to hold an affluent job.

      In any case, the hacker has established a business model that seems to be working.

    • My guess is they're involved in this kind of criminal behavior because of the same personality characteristics that would make it impossible to:
      1) provide any kind of "customer support" in a self-employment situation, or
      2) get a degree and/or be part of a typical workplace

    • Bank Secretary : So, people hire you to break into their places... to make sure no one can break into their places?

      Martin Bishop : It's a living.

      Bank Secretary : Not a very good one.

  • We're screamed at about secure passwords, and how to secure our computers. Let me try to say this in the most polite way......

    It...don't...fucking....matter!

    It's all being given away for free, and the only way to keep it from being given away for free is to not use the internet.

    That is all.

    • Ah come on.. Even the most secure password is all but pointless... UNLESS... You:

      1. Change it often.

      2. Don't reuse it at other sites or later at the same site.

      3. Is Complex and long.

      4. is not easy to guess.

      Which is why I NEVER reuse my passwords and alter my usernames between sites. That way, when the information gets hacked, I don't have to worry about somebody saying "Hey, users are lazy and here is a user ID on this site with a password I know, over here on that other site... Let's see if he reused

      • Ah come on.. Even the most secure password is all but pointless... UNLESS... .

        My point was that you can have as secure a password as you can have, but since the companies that people entrust their data to are simply not following any (or lax) security.

        "According to the hacker’s listings, Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow is said to have not scrambled user passwords at all." And the security researcher says the hacker may have used the same tactics on the other sites.

        Doesn't

    • by Anonymous Coward

      The passwords were scrambled, so as long as a password is at least 12 characters of random upper and lowercase letters, numbers, and punctuation, and hasn't been used on any other sites, it's practically immune to brute-force attacks.

      • The passwords were scrambled, so as long as a password is at least 12 characters of random upper and lowercase letters, numbers, and punctuation, and hasn't been used on any other sites, it's practically immune to brute-force attacks.

        It wasn't brute force, and the passwords were quite accessible.

        Some places the passwords were stored using MD5, some were stored in cleartext. FTFA:

        According to the hacker’s listings, Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow is said to have not scrambled user passwords at all.

        And the security agency says it is likely the others were similarly easy to crack. Point is, these identity thefts were not ma

  • a series of hacks which will not provide me with another year of "credit monitoring" I think I have enough banked so 2 generations after me will have it available. /s

    Password management is only as good as a sites ability to protect your information.

    Increasingly bad design choices seem to be made by developers regarding the protection of your personal information.

  • by FeelGood314 ( 2516288 ) on Thursday February 14, 2019 @05:55PM (#58123650)
    Making something secure means thinking about security on day one. What is it that I want to have secure and who wants to get it. It means keeping things simple. I can write 15 lines of code that are secure as long as they don't call any other functions. After that things start getting risky. Frameworks build on other frameworks, multiple data bases, parsing any strings, it's all extra complexity. You really have to look at it and try and minimize what you want to keep secure. Make everything else fancy, make your email web page requires 1.1GB in memory (looking a you gmail), but let's keep the actual login tiny so one person can understand it.

    Seriously, think first and then remember simple and minimal is your friend in security
    • How can the average "web developer" do that, when they install 650+ "frameworks" just to be able to get some output to the browser console? Do you expect them to know what everything that they bundle with their "webapp" by blindly typing "npm run build" does? Security is hopeless.

  • I've never heard of a single one of the websites that got hacked. I'm guessing said websites are shoestring operations who's business model is get in, maximize your $$$, get out.
  • Whats the latest 2019 thinking on pw and crypto that works while offering normal user web GUI?
  • LPs or 45s?

    That hacker could have saved some storage space by stealing cassette tapes instead.

  • I swear, if any of my shadowrun players show up with 200 karma that fell off a back of a truck...

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...