Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Who Stole 620 Million Records Strikes Again, Stealing 127 Million More (techcrunch.com)

Posted by BeauHD on from the there's-more-where-that-came-from dept.

An anonymous reader quotes a report from TechCrunch: A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned. The hacker, whose listing was the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites -- some that had already been disclosed, like more than 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn't know or hadn't disclosed yet -- such as 500px and Coffee Meets Bagel. The Register, which first reported the story, said the data included names, email addresses and scrambled passwords, and in some cases other login and account data -- though no financial data was included. Now the same hacker has eight additional marketplace entries after their original listings were pulled offline, including:

- 18 million records from travel booking site Ixigo
- Live-video streaming site YouNow had 40 million records stolen
- Houzz, which recently disclosed a data breach, is listed with 57 million records stolen
- Ge.tt had 1.8 million accounts stolen
- 450,000 records from cryptocurrency site Coinmama.
- Roll20, a gaming site, had 4 million records listed
- Stronghold Kingdoms, a multiplayer online game, had 5 million records listed
- 1 million records from pet care delivery service PetFlow

35 comments

  1. Pet flow? by bobbied · · Score: 1

    - 1 million records from pet care delivery service PetFlow

    Well, I know what flows from pets and if somebody wants to hack to get that kind of stuff... Power to them.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re: Pet flow? by Anonymous Coward · · Score: 0

      Oh man they are gonna find this guy floating somewhere

    2. Re: Pet flow? by Anonymous Coward · · Score: 0

      Nah. He hit crypto sites too. Those guys are the most vile, transparently and unabashadly greedy, scumlords in the history of the planet. The more of them that fall, the greater the guy's rep is going to become.

      Tl;dr - Organised crime and governments wanting to skirt financial oversight have gone hard and heavy into crypto. Most of the human, drugs and weapons trafficking is powered by it. Feck those guys....every last idiotic one of them.

  2. Why Don't These Hackers Make Money Legitimately? by dryriver · · Score: 2

    If you know enough scripting/IT to hack major websites without being caught, why not write a little software tool that does something legit, sell it on website, and make a living with that? Why not make a powerful website security boosting tool instead of HACKING websites? Would that be worth far less than putting happless people's credit card info and other details on the Dark Web? Unless of course these "hackers" are GOVERNMENT people. Perhaps Russian government people. Hacking Western companies not for itty-bitty money on the Dark Web, but simply to damage and inconvenience Westerners. Seriously, who is so good at hacking, and so poor at legit coding that they cannot make similar money writing something that has a legitimate use? Who are these "lone superhackers" who can go undetected by Western security agencies and just throw struff on the Dark Web? I smell Putin in these supposed "lone hacks".

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
  3. Same old same old by Ol+Olsoc · · Score: 1
    We're screamed at about secure passwords, and how to secure our computers. Let me try to say this in the most polite way......

    It...don't...fucking....matter!

    It's all being given away for free, and the only way to keep it from being given away for free is to not use the internet.

    That is all.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:Same old same old by bobbied · · Score: 1

      Ah come on.. Even the most secure password is all but pointless... UNLESS... You:

      1. Change it often.

      2. Don't reuse it at other sites or later at the same site.

      3. Is Complex and long.

      4. is not easy to guess.

      Which is why I NEVER reuse my passwords and alter my usernames between sites. That way, when the information gets hacked, I don't have to worry about somebody saying "Hey, users are lazy and here is a user ID on this site with a password I know, over here on that other site... Let's see if he reused is password.. " 9 times out of 10 they will get logged in.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Same old same old by Anonymous Coward · · Score: 1

      The passwords were scrambled, so as long as a password is at least 12 characters of random upper and lowercase letters, numbers, and punctuation, and hasn't been used on any other sites, it's practically immune to brute-force attacks.

    3. Re:Same old same old by Anonymous Coward · · Score: 0

      It's all being given away for free

      $20,000 isn't free.

      But you're not wrong: what's the point in us trying to be secure if the damned sites we're trying to be secure on can't get their sh!t in order? How about some repercussions for lax security on the other side? Public non-apologies aren't good enough; somebody in authority at each company needs to be held accountable. "The captain is responsible for his ship and crew" and all that.

    4. Re:Same old same old by Anonymous Coward · · Score: 0

      I think the point is, if all the websites you use* get hacked it doesn't matter what password you use. Changing it often--because it keeps getting hacked--, not reusing it--because they all require "new" passwords"--, making it complex and long--because as part of their "security improvement" driven by the site owner having a shit password is requiring everyone else also have a complex and long password--, and not easy to guess--because see the previous point. It's enough to make one rather bitter when so few web sites seem to either have admins that follow such advice, use outdated software that leaves them vulnerable, or they roll their own and clearly they're no better than mainstream software when it comes to security holes.

      * In the end, this being an exaggeration is the only thing that stops me and most people from fully raging about it. I can only imagine how people who have accounts on 4 of the sites mentioned must feel.

    5. Re:Same old same old by Ol+Olsoc · · Score: 1

      Ah come on.. Even the most secure password is all but pointless... UNLESS... .

      My point was that you can have as secure a password as you can have, but since the companies that people entrust their data to are simply not following any (or lax) security.

      "According to the hacker’s listings, Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow is said to have not scrambled user passwords at all." And the security researcher says the hacker may have used the same tactics on the other sites.

      Doesn't matter what your password is if it's available in cleartext for the taking. And while I have my computers battened down, companies with little to no security are wide open. Plus why worry about the single user, when you can get everyone?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    6. Re:Same old same old by Ol+Olsoc · · Score: 1

      The passwords were scrambled, so as long as a password is at least 12 characters of random upper and lowercase letters, numbers, and punctuation, and hasn't been used on any other sites, it's practically immune to brute-force attacks.

      It wasn't brute force, and the passwords were quite accessible.

      Some places the passwords were stored using MD5, some were stored in cleartext. FTFA:

      According to the hacker’s listings, Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow is said to have not scrambled user passwords at all.

      And the security agency says it is likely the others were similarly easy to crack. Point is, these identity thefts were not made on systems with anything resembling security.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    7. Re:Same old same old by Ol+Olsoc · · Score: 1

      It's all being given away for free

      $20,000 isn't free.

      But you're not wrong: what's the point in us trying to be secure if the damned sites we're trying to be secure on can't get their sh!t in order? How about some repercussions for lax security on the other side? Public non-apologies aren't good enough; somebody in authority at each company needs to be held accountable. "The captain is responsible for his ship and crew" and all that.

      As long as the people in charge of the companies have absolutely no liability, these companies will have absolutely no security. Asome of these companies stored passwords in cleartext - some used md5 - not much better.

      This needs to be criminalized, or else it will continue unabated, because no punishment, no fix. Bring a CEO into court, jail hime for a few years, and its a dead lock that the problem will be fixed in a matter of days.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  4. When you really stop and think about it by Anonymous Coward · · Score: 0

    He did a lot of work to accomplish almost nothing.

    He could have probably made more money just writing an app and at least he might have something to show for it instead of a bunch of work that he put into a criminal event that he can't really brag about and that didn't really accomplish much or generate much money.

    1. Re:When you really stop and think about it by CaptainDork · · Score: 1

      Might have been a "she," in some godforsaken place other than New Jersey.

      --
      It little behooves the best of us to comment on the rest of us.
  5. Re: Why Don't These Hackers Make Money Legitimatel by Anonymous Coward · · Score: 1

    I believe it's because the skills required to hack a lot of websites are actually quite low end and it's mostly just a matter of nobody's trying and nobody's auditing their own network security.

    In theory he best part of hacking is that you Force the world to take data security seriously. In practice these guys release a lot of data that mostly just sits there and has no use to anybody except perhaps the company that piled it up in the first place.

    With the Advent of multi-factor authentication a lot of that data isn't worth much because it doesn't represent a long-term ability to hack people over time like it used to. There used to be a lot of value in piling up logins and passwords, but as soon as someone turns two-factor authentication on that value significantly declines and if they have two-factor on their main email account a lot of times they can pretty easily recover everything.

    then you have the simple fact that most people don't actually have any kind of interesting data and when you release data on millions and millions of people it mostly just becomes a pile of worthless data. It might be a good smoke screen in some instances, but that seems like a stupid way to make a pretty small amount of money.

    if I was a hacker for hire I would be far more interested in precision hacking where I'm not releasing piles of data and then acknowledging the hacksaw the date of loses value and then essentially having so much data at once that I have no idea what to do with it nor does the total combined hacking community. I mean you can't turn lead into gold and you can't turn that 90% of useless data into anything useful unless you really really really care about profiling someone very accurately, which is exceptionally uncommon.

  6. Re: Why Don't These Hackers Make Money Legitimatel by Anonymous Coward · · Score: 0

    Perhaps Canadian government people, Swiss, German, Thai, Somalian, Iraq, Argentina, Colombia, USA...

    Literally any government why single out Russia

  7. Re:Why Don't These Hackers Make Money Legitimately by Major_Disorder · · Score: 4, Funny

    Because they will produce an amazing tool. Then spend the rest of their lives supporting morons trying to use it. Prison would be better than that hell. :)

    --
    First law of people: People are generally stupid.
  8. Here we go again... by bogaboga · · Score: 2

    ...Perhaps Russian government people...I smell Putin in these supposed "lone hacks".

    I can only conclude that you listen to a lot of western propaganda; wherein everything you just can't wrap your head around means >Russia
    The USA's own NSA has a long history of planting code , and at time hacking enemies and allies.

  9. Re: Why Don't These Hackers Make Money Legitimatel by ahodgson · · Score: 2

    Gee, I don't know. Maybe it's the constant stream of hacking attempts literally everyone running anything attached to the Internet sees daily from Russia and China.

  10. Finally by bobstreo · · Score: 1

    a series of hacks which will not provide me with another year of "credit monitoring" I think I have enough banked so 2 generations after me will have it available. /s

    Password management is only as good as a sites ability to protect your information.

    Increasingly bad design choices seem to be made by developers regarding the protection of your personal information.

  11. Re:Why Don't These Hackers Make Money Legitimately by Anonymous Coward · · Score: 0

    I once read that the money spent on enterprise spam email filtering is an order of magnitude greater than the amount lost from spam emails.

  12. Re:Why Don't These Hackers Make Money Legitimately by CaptainDork · · Score: 1

    Perhaps the hacker doen't live in an ecosystem where opportunities abound. Also, the hacking skill set may not be broad enough to extend to all of the talents required to hold an affluent job.

    In any case, the hacker has established a business model that seems to be working.

    --
    It little behooves the best of us to comment on the rest of us.
  13. Security is a mentality not skill by FeelGood314 · · Score: 2

    Making something secure means thinking about security on day one. What is it that I want to have secure and who wants to get it. It means keeping things simple. I can write 15 lines of code that are secure as long as they don't call any other functions. After that things start getting risky. Frameworks build on other frameworks, multiple data bases, parsing any strings, it's all extra complexity. You really have to look at it and try and minimize what you want to keep secure. Make everything else fancy, make your email web page requires 1.1GB in memory (looking a you gmail), but let's keep the actual login tiny so one person can understand it.

    Seriously, think first and then remember simple and minimal is your friend in security

    1. Re:Security is a mentality not skill by Mr.+Dollar+Ton · · Score: 1

      How can the average "web developer" do that, when they install 650+ "frameworks" just to be able to get some output to the browser console? Do you expect them to know what everything that they bundle with their "webapp" by blindly typing "npm run build" does? Security is hopeless.

  14. Just wow by Snotnose · · Score: 1

    I've never heard of a single one of the websites that got hacked. I'm guessing said websites are shoestring operations who's business model is get in, maximize your $$$, get out.

  15. Becoming apparent by Anonymous Coward · · Score: 0

    That this type of thing just does not matter. The odds of any one person getting scammed or identity stolen by one of these hacks is about the odds of getting hit by lightning. Billions of records and nothing to show for it except small time scams. Finally security by obscurity works.

  16. All more salt? by AHuxley · · Score: 1

    Whats the latest 2019 thinking on pw and crypto that works while offering normal user web GUI?

    --
    Domestic spying is now "Benign Information Gathering"
  17. Re: Why Don't These Hackers Make Money Legitimate by Anonymous Coward · · Score: 0

    20 years ago, I met a lose confederation of young, skilled, poorer, under-opportunitied Russian hackers in a non-descript encrypted IRC server who would were paid (used for sustenance) to make tools for more powerful Russian gangs of oligarch kids and wannabe crackers to make money criminally and build their reputation around other gangs.

  18. Stolen records by PPH · · Score: 1

    LPs or 45s?

    That hacker could have saved some storage space by stealing cassette tapes instead.

    --
    Have gnu, will travel.
  19. but when by Anonymous Coward · · Score: 0

    but when will you have enough records mr hacker??

  20. Re: Why Don't These Hackers Make Money Legitimatel by Mr.+Dollar+Ton · · Score: 1

    You're confusing "the hackers" with "the scripts ran by the script kiddies". They are different animals altogether.

  21. Re:Why Don't These Hackers Make Money Legitimately by AmusingClown · · Score: 1

    My guess is they're involved in this kind of criminal behavior because of the same personality characteristics that would make it impossible to:
    1) provide any kind of "customer support" in a self-employment situation, or
    2) get a degree and/or be part of a typical workplace

  22. Darn dirty hackers... by HeckRuler · · Score: 1

    I swear, if any of my shadowrun players show up with 200 karma that fell off a back of a truck...

  23. Sneakers, Act 1: On going legit by radarskiy · · Score: 1

    Bank Secretary : So, people hire you to break into their places... to make sure no one can break into their places?

    Martin Bishop : It's a living.

    Bank Secretary : Not a very good one.