- The personal details and hashed passwords of 2.2 million users are currently being shared online.
- One of the platforms who have exposed the data admitted the incident but offered a very different perspective.
- The passwords that were spilled are hashed with bcrypt, so they are not exploitable right now.
According to ArsTechnica, there’s a fresh data dump that has been spotted on the dark web, and which has been compiled from recent breaches. The dump contains 2.2 million passwords and personal information records belonging to users of GateHub and EpicBot. The first one is a cryptocurrency wallet service, while the second one is a bot provider for the RuneScape game.
Starting with the GateHub, the leak includes email addresses, two-factor authentication keys, mnemonic phrases, wallet hashes, usernames, and IP addresses. GateHub has previously admitted the data breach, and HaveIBeenPwned warned people about this since a while ago. However, the cryptocurrency platform had clarified that wallet hashes weren’t compromised, something that is not valid as we can see now. Moreover, GateHub mentioned that only 18473 users had been affected by the security incident, but we are now discovering that the actual number is a jaw-dropping 1.4 million users.
As for the EpicBot leak, the exposure concerns 800k users, their email addresses, usernames, IP addresses, and bcrypt-hashed passwords. Bcrypt is very hard to crack, so these passwords are safe for now, even considering that they have fallen into hundreds, if not thousands of malicious hands. The question is whether the platform has implemented the hashing function correctly or not. If not, then cracking it could be possible by using conventional computing power.
Something that concerns users from both websites is the risk of falling victim to credential stuffing attacks, so if you have used either platform, change your credentials universally. If you receive unsolicited email messages that make weird requests or bold claims about you, don’t fall for it. Whatever happens from now on with your account, if you want to manage cryptocurrency wallets safely and securely, you should finally consider getting a Yubikey.
Given a large number of people who have been exposed by this incident, the two platforms should now be thoroughly investigated by personal data protection agencies and punished accordingly. As for the inaccuracy of the initial reports, these can be attributed to incomplete internal investigations. ArsTechnica points out that the platform should have done better four months after the incident occurred and 25 days after the posting of the dumps, but we will stay clear from speculation about cover-up or playing-down intentions. Companies who spill data should simply face the business and legal consequences of their inadequacy, and users should do everything in their power to stay safe within any given context.