More "mega breaches" to come, as rival hackers vie for sales

Three major social networks have quietly fallen victim to data breaches, but despite some high-profile success, patience and trust is now beginning to fade.
Written by Zack Whittaker, Contributor

(Image: file photo)

Four weeks. Three hacks. Two rival sellers of almost one billion accounts -- with more to come.

How did we get here? For Silicon Valley, the outbreak of recent confirmed data breaches served up a brutal reminder: security really matters. The hacks took over like a fever, fueled by the reasonable expectation -- given the hackers' apparently high level of access -- that more breaches would emerge.

MySpace, LinkedIn, and Tumblr were all crucified for their failure to keep their users' data secure. The companies said their Hail Mary's and ate their humble pie, and promised to do better.

Other companies didn't fare so well.

Dating site Badoo, which last month denied it had been hacked after tens of millions of accounts were being traded on a dark web marketplace, maintained face when a breach notification site LeakedSource uploaded the dataset of 127 million records. Then, social networking site VK.com initially denied in an email that it was hacked, but admitted later in a post that the leaked data was from 2012, confirming our report, and that logins were force-reset after the fact.

But after riding the wave of this year's "mega breaches," things began to unravel.

Dropbox broke the chain as the next major hack that simply wasn't. And Twitter on Thursday was the latest to deny it had been hacked -- though LeakedSource, which analyzed the data, was clear to say it did not think Twitter had been hacked (despite a slew of headlines suggesting otherwise).

Was this the inflection point? Was "peak hack" over? Or have we saturated the market with so many usernames and passwords that reuse and repackaging existing hacks was almost inevitable?

With one list of credentials, it's easy to repackage a supposed "hack" as another breach -- simply by trading lists of one genuine batch of records. Sometimes it's to pass off old data as new data to make money, or to show off a hacker's prowess and proficiency.

In reality, it just makes it harder to determine if a new list is genuine or not -- and it's beginning to show.

Historical hacks come back to haunt

It was easy to assume Dropbox had been hacked, but proving it would be difficult. It's a hacker's word against a company's -- and in most cases, the latter has more to lose.

A Russian seller who goes by the name "Tessa88" claimed to have 103 million stolen accounts, according to an early March listing on a hacker's forum. The download itself had a smaller set of 73 million records -- a red flag for security reporter Brian Krebs, who first covered the story. It transpired to be rehashed data from Tumblr, but was amped and hyped by monitoring services, which dropped the ball.

Teamviewer, too, was caught up in the hype of the "mega breach" series, which led some to believe the screen-sharing app had been hacked. Though no breach data had appeared online, many claimed their accounts had nonetheless been compromised.

"Are these serious incidents possibly conditioning us to automatically assume the worst? Will it cause us to throw caution to the wind when dealing with the daily claims that some large web presence has become the victim of one of these attacks?" wrote Troy Hunt, a security researcher, who runs breach notification site Have I Been Pwned.

Here's the spoiler alert: A company doesn't necessarily have to have its systems breached to fall victim to a "hack" -- at least in how it appears. It's more likely that years of password reuse are coming back to bite millions on the behind -- because these shared lists of logins can be repackaged and sold on as a "verified" breach of another service.

Given some of the recent trust issues in Silicon Valley (think Edward Snowden), these companies face perception issues that are hard to overcome.

Old attacks, new breaches

In the case of verified hacks -- MySpace, LinkedIn, and Tumblr -- it's not known where the data came from, or how the hacks happened. But remarkably, it's now the sellers themselves who are taking center stage -- and they are said to be reaping the rewards as as a result.

After a number conversations over the past three weeks, here's what we think we know.

Tessa88 is thought to have first emerged earlier this year -- it's not clear if she (her gender isn't known but refers to herself in many hacker forums as female) is part of a wider group, but is known to acquire breach data and sell them for bitcoin.

(Screenshot: ZDNet/CBS Interactive)

With links to the recent MySpace and VK.com data breaches, she most recently made a name for herself by obtaining over 300 million Twitter logins. That was later revised down to 32 million logins, and an analysis showed that there was no hack behind the leaked data. LeakedSource said the credentials were likely collected from the account holders' computers themselves.

For its part, Twitter denied any breach -- despite numerous headlines suggesting otherwise.

In any case, there's no way to be sure -- and it's the word of one (or two) against a trusted company.

Tessa88, who would strictly only talk to me in Russian, also claims to have accounts for Qip.ru, Rambler.ru, and Mobango -- among others -- which range from 10 (about $5,780) to 15 bitcoin (about $8,670) in price. When we asked for a sample to verify, she asked us for bitcoin -- something we declined to do.

But in the same arena is another seller, who goes by the name "Peace" -- a hacker who made a name for himself by selling different sets of stolen data from Fling, LinkedIn, Badoo, and VK.com.

Now the sellers (independent of one another) are claiming their stake to a much larger set of the same tech scalps.

Both of the sellers claim to have in their possession upwards of 836 million accounts associated with Facebook, which are said to date back to mid-February this year. Peace said an unnamed security firm is interested in buying the data, but didn't say which. He said the data would soon be put up for sale.

The two hackers also claim to have 160 million and 332 million accounts -- depending on who you ask -- associated with Instagram, which they both said were stolen in 2014.

Unlike other breaches, neither Tessa88 or Peace would share data associated with the alleged Facebook and Instagram breaches.

Facebook, which also owns Instagram, would not comment on the record on Thursday.

Again, it's "he said" versus "she said." And no matter how spurious or exaggerated the claims may be by the hackers, there's no definitive way to prove either case.

Peace also claimed to have a number of smaller breaches under his belt, which he would sell for a bitcoin or two -- like 23 million accounts with JustMate.com, a dating site that claimed from its own homepage to have tens of thousands of users online at any given time. The site's owner, James King, said in an email that he has only 1,300 active users.

King then threatened legal action if we posted "any negative information about our site."

And, if that wasn't enough, Peace claims to have 1.1 billion accounts associated with Yahoo, which he said "bends over for NSA" -- a reference he didn't clarify, but may have some connection to its naming as part of the clandestine PRISM government surveillance program.

A hackers' underground emerges

Given that the two sellers meet in the middle on what could be the biggest ever known data breaches, you might think there would be a back story. And if you're wondering what the connection between the two is -- join the club.

It turns out the two sellers just flat-out hate each other.

"They are not friends at all," said one of the members of LeakedSource, who would not be identified. "They both sell data... they get data and resell."

Peace has not told me his name or age, but is thought to live in Europe -- though, a source who claims to know of his work said he lives in central US. He has no formal hacker group affiliations, but occasionally works with Russian hackers, he said some weeks ago. Earlier this year, he admitted he installed a backdoor in the Linux Mint distribution, and occasionally sells private exploit services for vulnerabilities on dark web marketplaces.

While Peace will generally work on the dark web marketplaces, which he uses to sell data, Tessa88 has a different style, by tending to stick to Russian-language forum boards -- essentially "clearnet" sites that can be found on the regular internet.

But from the sources we've spoken to, who have knowledge of the two sellers, there are accusations that Peace has on numerous occasions obtained the allegedly hacked data from Tessa88 through a proxy -- which may explain why she is hardly a fan of him.

In an encrypted chat this week, she called Peace a "motherf**ker," "cheater," and "another child who sells my databases." She said, "he has cheated me, and I don't like traitors."

Peace did not respond when we asked about Tessa88.

Tessa88 is thought to be the original source of the data, but she wouldn't say how she got it. Instead, she would sporadically talk about bizarre topics on encrypted chat -- like how she would visit the beach, yet she was "unsafe," and was also (perhaps conveniently) unable to show part of the hacked data at the time because her car had broken down on the Avtomagistral.

Other people we spoke to, who had also been in contact with Tessa88, had similar conversations.

The big, million-dollar question is where the data came from.

"Well," said Peace, "Tumblr, MySpace, LinkedIn, Facebook, Fling and more to come," he said. "They're all hacked by [the] same people. Is it me or someone else? Well, let the FBI 'investigate' and find out," he told me last Friday.

But the longer the data was under wraps, the more valuable it becomes -- for use on the underground market over the course of the past few years, until such a time it's no longer useful. Then, the data is quietly announced on a dark web forum (in Peace's case) or on a hacker's forum (in Tessa88's case), where it can be sold for a price, and vary in price depending on free market economics -- and if the press verifies the data, the price goes up, but if it's scrutinized too much and thought to be an inflated or rehashed breach from an earlier hack, the price can dramatically drop.

Hunt said in a recent interview: "Well it might be that whoever exfiltrated this data to begin with has had some catalyst which has caused them to release this, so maybe they want to get straight and they want to cash it in."

"But clearly there has been some event which has caused this data which has laid dormant for that long to suddenly be out here in the world," he added.


What appeared to be on the face of it a clandestine cooperative to sell and rehash data between two hackers now seems to more likely resemble -- for want of a better term -- a pissing contest between two hackers who are competing to sell third-party data for a quick buck on the dark web.

This recurring theme of historical breaches has little pattern or direction, and has some successes and failures, making it almost impossible to predict. The hype and the sudden drop in faith and trust in a hacker's word now makes it impossible to prove any new alleged breaches when they happen.

And what's having the biggest impact on the hacking saga -- better for the hackers and sellers, but worse for the ordinary public -- is the dire state of password reuse. This sharing of passwords across services is security's fundamental undoing. Two services with the same credentials, and you can pass off a list of passwords with a claim to a hack on each. Once enough accounts have shared usernames and passwords that it creates the illusion that it's been breached, and it's difficult to walk away from because it's almost impossible for a company to prove it hasn't been hacked.

With a dark web market close to reaching a billion logins -- and another billion said to be in the pipeline -- it's not unreasonable to expect the worst. "There's been a hack." "Another company breached." That recirculated data will remain useful to someone -- an account hijacker, phisher, or just a typical run-of-the-mill spammer -- in one way or another, and for years to come.

Thanks to a decade of poor security and bad passwords, these sellers can just keep repackaging our fears and failures for months and years -- and for the most part, we're none the wiser.

Editorial standards