A Hacker Has Dumped Nearly One Billion User Records Over the Past Two Months (zdnet.com)

← Back to Stories (view on slashdot.org)

A Hacker Has Dumped Nearly One Billion User Records Over the Past Two Months (zdnet.com)

Posted by msmash on Monday April 15, 2019 @07:20AM from the security-woes dept.

A hacker who spoke with ZDNet in February about wanting to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records last week and reaching a grand total of 932 million records overall. From a report: The hacker's name is Gnosticplayers, and he's responsible for the hacks of 44 companies, including last week's revelations. Since mid-February, the hacker has been putting batches of hacked data on Dream Market, a dark web marketplace for selling illegal products, such as guns, drugs, and hacking tools. He's released data from companies like 500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names. Releases have been grouped in four rounds -- Round 1 (620 million user records), Round 2 (127 million user records), Round 3 (93 million user records), and Round 4 (26.5 million user records).

72 comments

Min score:

Reason:

Sort:

You're saying shitty websites have poor security? by Anonymous Coward · 2019-04-15 07:26 · Score: 1

"500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names." Other than underarmor, THESE are the BIGGER NAMES? Lol.
So? by Anonymous Coward · 2019-04-15 07:28 · Score: 0

My pass phrase is 1kb long. Good fucking luck with that
1. Re:So? by Anonymous Coward · 2019-04-15 07:33 · Score: 5, Funny
  
  My pass phrase is 1kb long.
  That is a insecure pass phrase. "1Kb L0nG$" would be better.
2. Re:So? by JaredOfEuropa · 2019-04-15 07:47 · Score: 5, Funny
  
  My pass phrase is 1kb long. Good fucking luck with that
  Worst pickup line ever...
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
3. Re:So? by Locke2005 · 2019-04-15 07:47 · Score: 5, Funny
  
  "Do you think maybe he's compensating for something?" -- Shrek
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
4. Re:So? by Anonymous Coward · 2019-04-15 07:50 · Score: 1
  
  My pass phrase is 1kb long.
  That is a insecure pass phrase. "1Kb L0nG$" would be better.
  Funny!
5. Re:So? by Anonymous Coward · 2019-04-15 07:54 · Score: -1
  
  Dang, I forgot my super secure passphrase, now I can't access important information. I should gave written it down on a postit note and stuck it to my monitor. There's just no other way to remember that gobbledygook. :slapself:
  Oh, and 9/11 was a controlled demolition. AE911Truth Org
6. Re:So? by Nidi62 · 2019-04-15 07:57 · Score: 2
  
  My pass phrase is 1kb long.
  That is a insecure pass phrase. "1Kb L0nG$" would be better.
  Dammit! Now I have to change the combination on my luggage!
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
7. Re: So? by Anonymous Coward · 2019-04-15 08:03 · Score: 0
  
  You keep using that phrase. I do not think it means what you think it means.
8. Re:So? by 93+Escort+Wagon · 2019-04-15 08:09 · Score: 1
  
  My pass phrase is 1kb long.
  Well, MY pass phrase has 1kg mass.
  
  --
  #DeleteChrome
9. Re: So? by Anonymous Coward · 2019-04-15 08:21 · Score: 0
  
  Agree!
10. Re:So? by Anonymous Coward · 2019-04-15 08:47 · Score: 0
  
  Pass phrases that work as Viagra commercials are always the bestest kind.
11. Re:So? by Anonymous Coward · 2019-04-15 09:11 · Score: 0
  
  Oh, and 9/11 was a controlled demolition. AE911Truth Org
  You are so full of shit...
12. Re:So? by Anonymous Coward · 2019-04-15 10:08 · Score: 1
  
  The hash is most likely far shorter than that 1kb number, and I am not sure if that is kilobits or kilobytes being referenced. Assuming a strong SHA512 hash and a 1kb password, you have introduced many collisions with more modest length passwords.
13. Re:So? by Anonymous Coward · 2019-04-15 22:23 · Score: 0
  
  Do not byte!
14. Re:So? by David_Hart · 2019-04-16 00:07 · Score: 1
  
  My pass phrase is 1kb long.
  Well, MY pass phrase has 1kg mass.
  So, you've been logging into to Slashdot for the last 5 years just for this one post? Was it worth it?
15. Re:So? by ebvwfbw · 2019-04-16 14:13 · Score: 1
  
  "Mail from Security Minded People."
  Please check the strength of your password using our free tool:
  www.www.com/passwordchecker.py
  Why my PW is 1kb... Should say it's strong. Let me cut & paste it in.
  See, says it the best it has ever seen!
  I'm so smart. I'm so smart...
  I joke about this, however I work someplace and the guy in charge of the windows people typed his password into the checker in less than 5 minutes. This was the day after phishing awareness training.
  If you want to keep things secure, get rid of passwords. At the very least go to MFA. People as a rule can't be trusted. Individuals - sure. People hell no. People are dumb. At any place - company, government agency, etc...you have people.
In all seriousness... by Anonymous Coward · 2019-04-15 07:39 · Score: -1

I would be heavily in favour of the death penalty for this moron.
Perhaps if he's captured, someone can tattoo "Mohammad is a paedophile" on his back, tie him up naked in the middle of the night in a public place in the middle east and then let them deal with him after they discover him in the AM. Saudi Arabia might be a good place.
1. Re:In all seriousness... by Locke2005 · 2019-04-15 07:49 · Score: 1
  
  Nah; just fine him $1 for each user profile stolen, and keep him in jail until he pays off the entire fine.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
2. Re:In all seriousness... by Anonymous Coward · 2019-04-15 07:51 · Score: 0
  
  A bit lax, don't you think? Buried neck deep in an army ant hill covered in honey.
3. Re:In all seriousness... by Anonymous Coward · 2019-04-15 08:02 · Score: 1
  
  If sentence would be similar to what corporations get for breaking laws, the guy would get a fine of 1% of this net income and by appeal the sum would be halved.
4. Re:In all seriousness... by ShanghaiBill · 2019-04-15 08:27 · Score: 1
  
  I would be heavily in favour of the death penalty for this moron.
  The focus should be on fixing security holes, rather than draconian punishments for those who inevitably exploit them.
5. Re:In all seriousness... by gweihir · 2019-04-15 08:30 · Score: 1
  
  Just shows you are a vicious cave-man. The death-"penalty" has no deterrence value and is just revenge. As such it makes matters worse. Great job.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:In all seriousness... by gweihir · 2019-04-15 08:31 · Score: 1
  
  That would make things better. But some people obviously prefer them to stay bad so they can indulge their sadistic fantasies...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re: In all seriousness... by Viol8 · 2019-04-15 08:38 · Score: 1
  
  Care to name anyone who's reoffended after being executed?
8. Re: In all seriousness... by Anonymous Coward · 2019-04-15 08:40 · Score: 0
  
  The usual lame refrain from losers who silently condone the criminals behaviour but dont have the balls to admit it.
9. Re:In all seriousness... by humankind · 2019-04-15 08:43 · Score: 1
  
  I'm not condoning his actions in the slightest.
  But you do realize what he's doing basically, Google and Facebook and many others also do every day?
10. Re: In all seriousness... by Anonymous Coward · 2019-04-15 08:49 · Score: 0
  
  He should incorporate.
11. Re: In all seriousness... by Anonymous Coward · 2019-04-15 09:11 · Score: 1
  
  Care to name anyone who's reoffended after being executed?
  Exactly the same number as have reoffended after serving a life sentence without eligibility for parole. Killing them back accomplishes nothing, but does exclude the possibility of exoneration in the large number of cases where someone has been wrongly convicted.
12. Re: In all seriousness... by Anonymous Coward · 2019-04-15 09:20 · Score: 0
  
  False convictions are, indeed, sad, however, if there is proof beyond a shadow of a doubt: multiple independent witnesses, videos, photos, confession. etc. then those cases warranting the death penalty should continue. Rape, murder, incest, selling drugs to minors, paedophilia, ID theft, armed robbery. I could go on. But, no... we pay by dint of taxation for these asshats to enjoy 3 hots and a cot, free TV, a gym, calls home, visitations, conjugal visits in some places, you name it. I think we should take a page from Singapore's book.
13. Re: In all seriousness... by Anonymous Coward · 2019-04-15 10:14 · Score: 0
  
  You either are obtuse or willfully ignoring the prior post (which is correct). The death penalty is not a deterrent. Take for example murder; there are only three categories: 1) Premeditated: You thought about it and did it knowing about the death penalty and still did it --> not a deterrent. 2) Insanity: You are insane and thus the death penalty didn't register as you are insane --> not a deterrent. 3) Crime of passion: In the heat of the moment you are not thinking of the consequences (eg death penalty) and did it anyway --> not a deterrent.
  The pure fact is that death penalty inmates use MORE dollars than life imprisonment. That's also ignoring the fact that as taxpayers and members of this society that in the instance that ONE innocent inmate is executed, we have all collectively committed murder.
14. Re: In all seriousness... by Anonymous Coward · 2019-04-15 10:40 · Score: 0
  
  Iâ(TM)m not sure about. I bet if the penalty for murder was just 3 months you would see a lot more murder.
15. Re: In all seriousness... by sarren1901 · 2019-04-15 10:42 · Score: 1
  
  If you stop letting people appeal after appeal after appeal it wouldn't cost so much. Criminals like James Holmes where they is zero doubt of who committed the crime. Why keep those people alive? Saying it cost to much is just the system being broken. Killing someone is extremely cheap. Just ask James Holmes.
  For some reason though, we would rather waste money on keeping him alive. I guess he's worth our taxes dollars, eh? Surely no other way we could spend that money but instead we let him live.
  In extremely cases where there is lots of evidence, there should totally be an option of the death penalty and we really ought to be reforming that system itself. 30 years on death row? That's a miscarriage of justice.
16. Re: In all seriousness... by gweihir · 2019-04-15 11:44 · Score: 1
  
  That is unlikely. Most people are not cave-men that think murder (whether by the state or otherwise) is acceptable.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
17. Re: In all seriousness... by gweihir · 2019-04-15 11:46 · Score: 1
  
  Wow, you really do not understand how things work. And even with your primitive approach, it would still not have any deterrence value.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
18. Re: In all seriousness... by gweihir · 2019-04-15 12:13 · Score: 1
  
  That is not what "deterrence" means.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
19. Re: In all seriousness... by Anonymous Coward · 2019-04-15 12:44 · Score: 1
  
  Care to name anyone who's reoffended after being executed?
  You thought you were trolling, but I've got a serious answer to that:
  Jesus Christ ("offended" the archaic laws in place in 1BC)
  Justice isn't always fair -- it's enforcing the laws in place at the time. One of the failings of our justice system is that the system itself can be wrong at times and yet we still strive for the harshest penalty for someone who may have been right in the truest sense.
20. Re:In all seriousness... by Aighearach · 2019-04-15 18:14 · Score: 1
  
  I would be heavily in favour of the death penalty for this moron.
  The focus should be on fixing security holes, rather than draconian punishments for those who inevitably exploit them.
  Can't we do both?
  What is your theory as to why we can't have nice things?
21. Re: In all seriousness... by Viol8 · 2019-04-15 20:49 · Score: 1
  
  Cave men like that saved your parents arse in WW2. Perhaps you think Hitler and the Japanese should have just had stern words spoken to them?
  Moron.
22. Re: In all seriousness... by Viol8 · 2019-04-15 20:51 · Score: 1
  
  Who said deterence is the only goal? Prevention of further crimes by the criminal is just as important and the death penalty does that perfectly with the added bonus of not costing the same as a 4 star hotel to keep them incarcerated for their rest of their lives.
23. Re: In all seriousness... by Anonymous Coward · 2019-04-16 09:20 · Score: 0
  
  And we have all successfully lowered the tax burden.
Re: You're saying shitty websites have poor securi by Anonymous Coward · 2019-04-15 07:43 · Score: 0

Two words: tear ifs
In other news... by BringsApples · 2019-04-15 07:56 · Score: 2

...People all over the world are continuously giving their data away to FaceBook for free.

--
Politics; n. : A religion whereby man is god.
1. Re:In other news... by Anonymous Coward · 2019-04-15 08:05 · Score: 1
  
  Someone finally sees the elephant in the room. Nobody notices because they're all too bloody busy with the noses in their mobiles clicking "Like" and "Subscribe".
2. Re:In other news... by Anonymous Coward · 2019-04-15 08:08 · Score: 0
  
  OMG this is so insightful! You should tell everybody!
life during wartime by Anonymous Coward · 2019-04-15 07:59 · Score: 1

I've had my identity stole so many times
I don't know what I look like!
And? by Anonymous Coward · 2019-04-15 08:11 · Score: 0

Until there's a fine of $1,000+ per personal information leaked (no mass discount and possible criminal charges), this will continue. Companies, even the size of Facebook, would face disappearing overnight and prison time. Then, they will seriously consider what data to keep for how long instead of hoarding all and leaking. With this, no need for the likes of GDPR and other legal swiss cheeses.
Blathering on slashdot is better than sex, right? by Anonymous Coward · 2019-04-15 08:17 · Score: 0

I really do find relaxing with some left-handed tinydick masturbation to a Marvel sequel really puts me in the right frame of mind to comment vapid consumerism on Slashdot and then mod myself up with dummy accounts. /Kendall
Weird grammar by Daetrin · 2019-04-15 08:33 · Score: 0

"wanting to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records last week and reaching a grand total of 932 million records overall."

"Dangerously close"? I'm not going to argue that this isn't bad, but does something magical happen when he releases the data for the billionth user and reaches his goal that makes it especially dangerous? Shouldn't releasing records 932,000,001 through 1,000,000,000 be at _most_ about 6.8% as dangerous as all the records he's released already?

--
This Space Intentionally Left Blank
The article isn't clear enough by Anonymous Coward · 2019-04-15 08:33 · Score: 0

Terrible news article whoever put this together should be getting a grilling from their supervisor, I can find price but where is the buy now link?
Sure sure by jbmartin6 · 2019-04-15 08:35 · Score: 2

This appears to be the same person behind the "Collection #1" releases circa Jan 18th. it was just a collection of a bunch of older dumps i.e. data aggregated from other breaches. I didn't see any reason to think this person was behind all of the hacks, I got the sense he might also brag he could hack into any porn site on the Internet by putting in his mom's credit card number.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Advice by Required+Snark · 2019-04-15 08:47 · Score: 2, Interesting

Never sign up for anything ever.
Really. Don't do online payments, don't subscribe to news organizations, don't stream games, don't get email notifications, nothing. The only sort of safe exception is medical information under HIPPA.
Remember no organization is at risk if they leak your info. The cost of a breach is just factored into the cost of doing business. That's why HIPPA is an exception. Medical information leaks are treated extremely seriously and they can even cause an organization to be shut down.
The only one who is at risk if personal data becomes public is you. Organizations don't give a damn about you.

--
Why is Snark Required?
1. Re: Advice by Anonymous Coward · 2019-04-15 09:00 · Score: 0
  
  That's all I need to hear
2. Re:Advice by Anonymous Coward · 2019-04-15 10:21 · Score: 0
  
  HIPAA but w/e.
3. Re:Advice by Anonymous Coward · 2019-04-15 11:03 · Score: 0
  
  Way ahead of you.
  For many, the ego boost of two "free" mod points matters more than their personal security.
4. Re:Advice by Anonymous Coward · 2019-04-15 11:11 · Score: 1
  
  Dammit, I wanna sign up just to get the points to mod you up.
5. Re:Advice by Anonymous Coward · 2019-04-15 11:36 · Score: 1
  
  That's why HIPPA is an exception. Medical information leaks are treated extremely seriously and they can even cause an organization to be shut down.
  For those of us who work with HIPPA data on a daily basis vs. non-HIPPA data - yes its treated more seriously. BUT, at the end of the day - its another factored risk. Paraphrasing Fight Club:
  
  "Take the number of (HIPPA records), A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of (properly securing against a data breach), we don't (bother with proper data security)."
  
  Business woman on plane:
  Are there a lot of these kinds of (exposures)?
  
  Narrator:
  You wouldn't believe.
  
  Business woman on plane:
  Which (HIPAA complaint) company do you work for?
  
  Narrator:
  A major one.
6. Re:Advice by Anonymous Coward · 2019-04-15 12:20 · Score: 0
  
  Anonymous cowards have known this all along ;)
7. Re:Advice by davesays · 2019-04-15 13:57 · Score: 1
  
  HIPPA is not an exception, it promises punishment of violations not guarantees of privacy... I respect your remarks, but even the DOD doesn't keep their stuff private.
8. Re:Advice by Anonymous Coward · 2019-04-15 14:20 · Score: 0
  
  I'm picking you pay for your tin foil with non-sequential cash bills.
9. Re:Advice by Anonymous Coward · 2019-04-15 22:28 · Score: 0
  
  Under GDPR (IANAL) storing plain-text or unsalted passwords could be seen an neglect of basic security and punishable. Developers could go to jail over such breaches or lack of foresight.
10. Re:Advice by jbmartin6 · 2019-04-16 00:55 · Score: 1
  
  Have there been any serious repercussions from HIPAA violations? Medical data get shared around so widely with various medical specialists, claims specialists, coders and re-coders, government agencies, research teams, etc. that 'secret' is no way to describe it. It is generally not in the forefront of news outlets since it is a bit harder to monetize, but there is plenty of medical fraud already going on with leaked health records.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
11. Re:Advice by Anonymous Coward · 2019-04-16 01:26 · Score: 0
  
  I (happily) only barely know who Britney Spears is, but I remember the https://www.reliasmedia.com/articles/11576-13-hospital-workers-fired-for-snooping-in-britney-spears-medical-records incident in the news, including the fact that employees were fired and physicians were (only) suspended for the HIPAA violations.
12. Re:Advice by Anonymous Coward · 2019-04-16 02:06 · Score: 0
  
  You are correct, but I don't think you realize the implications of what you've said in a world where Experian has a file on you before you are even born.
  The short version is "you're fucked". The long version:
  
  "There is no such thing as paranoia. Your worst fears can come true at any moment." -HST
13. Re:Advice by Anonymous Coward · 2019-04-16 23:08 · Score: 0
  
  Hot take alert!!
Re:You're saying shitty websites have poor securit by bev_tech_rob · 2019-04-15 09:08 · Score: 1

"500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names." Other than underarmor, THESE are the BIGGER NAMES? Lol.
IKR? Never heard of any of these short of UnderArmor and I haven't heard any news from that outfit for a long time.

--
You're messin' with my Zen Thing, man.....
Is the data real? by Anonymous Coward · 2019-04-15 09:10 · Score: 0

Anything could be a 'user record'. I have been to all kinds of websites that demand I reveal personal information before I can interact with it. I often feed it a ton of bogus information. I couldn't care less if it gets stolen.
Nope, not saying that by Anonymous Coward · 2019-04-15 10:11 · Score: 0

It's a HACKER who did done HACKING with his ebil HACKS!
You cannot possibly do anything against that. It's like the tsunami wave of the cyberspaces. HACKER, HACKING, with HACKS! So no, this is obviously force majeure as all security is impossible against HACKERS HACKING WITH HACKS.
The more you know.
Or sign up under a false persona by ron_ivi · 2019-04-15 12:42 · Score: 1

You get much more fun junk mail if you claim your income's >$400,000; and your interests include hunting rifles and endangered species.
Advice-avoid the IRS. by Anonymous Coward · 2019-04-15 14:57 · Score: 0

Would be good advice except for one small thing. The government leaks too, and one can't avoid being in their databases.
Fake by Anonymous Coward · 2019-04-15 16:31 · Score: 0

Dream Market got shut down after it was raided by the DEA so what in the fuck are you even talking about?
Hacker stole 932 million records from 44 companies by Anonymous Coward · 2019-04-16 00:46 · Score: 0

Technically speaking, how did hacker ‘gnosticplayers’ actually hack these companies?