127 million user records from 8 companies put up for sale on the dark web

The same individual sold 620 million user accounts from 16 other companies earlier this week.
Written by Catalin Cimpanu, Contributor

An individual who earlier this week was selling 620 million user records stolen from 16 companies has now put up a second batch of hacked data totaling 127 million, originating from eight companies.

The data is currently being sold on Dream Market, a dark web marketplace where crooks sell an assortment of illegal products, such as user data, drugs, weapons, malware, and others.

The individual selling the data goes by the name of Gnosticplayers, and it's currently unclear if they're the one/ones who hacked the 24 companies, or just a third-party who purchased the data from the real hacker and is now re-selling it for a bigger profit.

According to tech news site TechCrunch, who first reported this new batch of hacked accounts going for sale on Dream Market, Gnosticplayers is asking for roughly four bitcoin, which is about $14,500 in fiat currency. Prices vary depending on the quality of the user data and the difficulty in cracking password hashes.

This second batch of hacked accounts includes data from the following companies:

DB size
Breach date
Ge.tt (file sharing service)
1.83 Mil
firstname, lastname, password hash (SHA256), Facebook ID, referer
Ixigo (travel and hotel booking)
18 Mil
password hashes (MD5), full name, Facebook URL, IP address, username, email, and, for some users even the passeport ID number, passeport name etc
Roll20.net (gaming)
4 Mil
name, email, passwords (bcrypt), nickname, gaming data, some redacted financial data, server log data
Houzz (interior design)
57 Mil
email, password (SHA256), registration date, name
Coinmama (cryptocurrency exchange)
0.42 Mil
email, password (PHPASS), other unspecified
Younow (live streaming)
40 Mil
full name, profile ID, IP addresses, email, Facebook email and ID, Instagram ID, Google ID, Twitter ID
StrongHoldKingdoms (gaming) 5 Mil
username, email, password (HMAC-RIPEMD160), profile stats, gaming data, SteamID
Petflow (pet food delivery) 1 Mil
email, username, password (MD5), other undisclosed data
Dream Market data
Image: ZDNet

Of the companies listed above, Houzz had already come clean about its data breach last week. The other seven companies did not publicly reveal any security breaches before the publication of today's ads.

This new batch of stolen databases comes after earlier this week, the same Dream Market user was selling the following user databases from 16 other companies:

DB sizeBreach datePriceContent
Dubsmash (video sharing)
161.5 Mil
user ID, password (SHA256), username, email, language, country, more
500px (image hosting)
14.8 Mil
username, email, password (MD5, SHA512, or bcrypt), first and last name, birth date, gender, city, country
EyeEm (image hosting)
22.3 Mil
email and password (SHA1)
8fit (fitness app)
20.1 Mil
email, password (bcrypt), country, country code, Facebook token, Facebook profile picture, name, gender, and IP address
Fotolog (photo app)
16 Mil
email, password (SHA256), security question and answer, name, location, various profile data
Animoto (video editing service)
25.4 Mil
username, password hash (256), email, country, full name, and date of birt
MyHeritage (family genealogy service)
92 Mil
email, password hash (256), account creation date
MyFitnessPal (UnderArmor's fitness app)
150 Mil
user ID, username, email, password hash (SHA1) with a fixed salt, IP address
Artsy (art sharing portal)
1 Mil
email, name, IP addresses, location, and password (SHA256)
Armor Games (online gaming)
11 Mil
username, email, password (SHA256), date of birth, gender, location, and profile data
Bookmate (e-book and audiobook app)
8 Mil
username, email, password (SHA512 or bcrypt), gender, date of birth, and profile data
CoffeeMeetsBagel (dating app)
6 Mil
late 2017 to mid-2018
full name, email, age, registration date, and gender
DataCamp (coding platform)
0.7 Mil
email, password (bcrypt), location, and profile data
HauteLook (online shopping)
28 Mil
email, password (bcrypt), and name
ShareThis (social sharing widegt)
41 Mil
name, username, email, password (DES), gender, date of birth, and profile data
WhitePages (online phone book)
17.7 Mil
late 2017
name, email, password (SHA1 or bcrypt)

Animoto, MyFitnessPal and MyHeritage previously disclosed breaches last year. DataCamp, 500px, Dubsmash, EyeEm, Artsy, 8fit, and CoffeeMeetsBagel confirmed this week that they've been breached as well, giving credence to the seller's boast that this is real data and not just a scam.

These 16 databases are no longer available for sale now. Gnosticplayers said he took them down after buyers complained that a prolonged sale would eventually lead to some of these databases leaking online, and becoming available to everyone.

More updates to follow as we're still looking at the data.

Data leaks: The most common sources

More data breach coverage:

Editorial standards