- Dark web users are freely sharing the ‘Star Tribune’ user data that was first sold by Shiny Hunters six months ago.
- That data, along with the Minted.com set, were protected by bcrypt hashing, so the passwords couldn’t be broken.
- This makes the data almost worthless for credentials stuffers, but they could still be used in phishing operations.
In May 2020, the notorious data broker “Shiny Hunters” put up a massive database for sale, offering 73.2 million user records from eleven companies. Among them, there was a set of one million user records belonging to ‘Star Tribune,’ the largest newspaper in Minnesota, USA.
That pack had a price of $1,100, and it looks like all of its selling potential has been exhausted now, after almost six months since the pack is now shared for free on popular Russian-speaking forums on the dark web.
The pack that’s being shared is a 900 MB SQL file which contains the following data:
- Email address
- Hashed passwords
- Dates of Birth
- Phone numbers
The newspaper had informed its subscribers that their passwords were encrypted since May, and the hashing algorithm used (bcrypt) is considered to be very strong. Thus, one explanation about the open leak of this data is that there was no value in it for hackers looking to engage in credential stuffing attacks. If you receive any unsolicited messages (email or SMS) making bold or weird claims, ignore them.
Still, having names, email addresses, home addresses, and phone numbers in the set is amazingly useful for scammers and phishing actors, and this is not the kind of data that can be reset like passwords. Also, even though the passwords were stored in a safe format, you should still reset them from anywhere you could be using them and pick something new, unique, and strong.
If you have any questions or concerns about this hack and how it affects you, Star Tribune is open to address them at 612-673-4343 or via email at firstname.lastname@example.org.
In addition to the ‘Star Tribune’ data, the same leaker shared the five million records of the Minted.com users, consisting of the same type of information. In that case, too, bcrypt was used to hash the user passwords, so this appears to be the common denominator that drops the value of that data down to “freely shareable.”