- Someone is selling a big collection of data dumps deriving from recent hacks on 14 online platforms.
- Four of them were already known, but the others are fresh, and the exposed users knew nothing about the risks.
- The same seller is also listing older data breaches that spam campaigners may find useful.
A stolen data broker is offering millions of user records taken from data breaches that allegedly happened in 2020. The information is the result of exfiltrating the databases found in the compromised systems of 14 firms, four of which have already admitted a security incident in May, when "Shiny Hunters" put up their user details for sale on the dark web. The following table provides an overview of what has been put up for sale this time. It's important to clarify that the data broker is selling the below individually, setting the cost between $100 and $1,100.
As for what type of data is included in each offering, this depends on the database. In general, there are usernames, email addresses, hashed passwords, home addresses, full names, social media profiles, and phone numbers. The implications for the exposed individuals range from scams and phishing attempts, email- and SMS-based trickery to bypassing 2FA via SIM swapping attacks. Some platform listings aren't dealing with critical stuff, as they are about soccer streaming or food delivery services. Others, however, are more important as they contain data of people who registered on loan platforms.
|Platform||User Records||Alleged Breach Date|
|JamesDelivery||1.6 million||March 2020|
|Minted||4.3 million||May 2020|
|Playwings||4.1 million||April 2020|
|Revelo||1.1 million||June 2020|
|Tokopedia||91 million||April 2020|
|Yotepresto||1.4 million||June 2020|
|Zoosk||29.1 million||January 2020|
In addition to the above, the same data broker is also selling older breaches like those of the Star Tribune, EpicGames, ZyngaPoker, ReverbNation, Wirecard, ClickFunnels, and more. The user information from these data breaches has already been exploited. Still, some value remains, most likely for those looking to distribute spam across millions of valid email addresses.
The ten firms who look like they suffered a security incident that they chose not to disclose haven't responded through any public announcements yet, which is unfortunately quite typical nowadays. Thus, people shouldn't expect to receive a warning from the platforms. If you have an account on the above websites, go ahead and reset your passwords, and do the same on any other online platform that you may be using the same credentials.
Right now, there are so many data breaches going on that it has gotten practically impossible for people even to keep up. Firms are exploiting the rate by which newer breaches steal the news headlines and the lack of concrete data protection laws that would compel them to disclose these incidents, so they are just playing deaf. That said, the user should act more responsibly in taking every precaution that would help secure your data.