386 million user records stolen in data breaches — and they're being given away for free
Personal details of millions can be downloaded
A notorious hacker or group of hackers is giving away copies of databases said to contain 386 million user records, after posting links to the databases on a marketplace used by cybercriminals.
The threat actor, who goes by the name ShinyHunters, claims to have data stolen from 18 different websites in the past seven months.
- The best antivirus software to keep you and your devices safe
- VPN: add an extra layer of security with a virtual private network
- Just In: OnePlus Nord already has a big display problem
Free for all
According to BleepingComputer, ShinyHungers last week began uploading the databases to a forum where anyone can download them free of charge.
ShinyHunters is believed to have played a role in high-profile data breaches at HomeChef, Promo.com, Mathway, Chatbooks, Dave.com, Wattpad and even Microsoft's GitHub account. Many of these records were previously offered for sale online.
The free data is said to come from the following companies, some of which have confirmed data breaches in the past few months.
- Appen.com - 5.8 million records
- Chatbooks.com - 15.8 million records
- Dave.com - 7 million records
- Drizly.com - 2.4 million records
- GGumim.co.kr - 2.4 million records
- Havenly.com - 1.3 million records
- Hurb.com - 20 million records
- Indabamusic.com - 475,000 records
- Ivoy.mx - 127,000 records
- Mathway - 25.8 million records
- Proctoru.com - 444,000 records
- Promo.com - 22 million records
- Rewards1.com - 3 million records
- Scentbird.com - 5.8 million records
- Swvl.com - 4 million records
- Truefire.com.com - 602,000 records
- Vakinha.com.br - 4.8 million records
- Wattpad - 270 million records
The alleged data breaches at Appen.com, Drizly.com, Havenly.com, IndabaMusic.com, Ivoy.mx, Proctoru.com, Rewards1.com, Scentbird.com and Vakinha.com.br had not been reported before, noted BleepingComputer.
The real deal
After he viewed some of these databases, BleepingComputer's Lawrence Abrams believes that the data is indeed legitimate because “the exposed email addresses correspond to accounts on the services”.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
ShinyHunters has likely made a large sum of money by selling this data online. The cheapest databases were offered for $500 (Zoosk), while the most valuable was listed at $100,000 (WattPad).
ShinyHunters explained to BleepingComputer why he, she or they are giving away the data.
"I just thought: 'I've made enough money now' so I leaked for everyone's benefit. Obviously, some people are a little upset because they paid resellers a few days ago, but I don't care.”
Jake Moore, security specialist at ESET, told Tom’s Guide: “Even stolen data has a best-before date, so this isn’t a huge surprise for some of this data to be offered for free once it has been out in the public domain for some time.
“However, what is interesting is that half of those breaches have not before since been disclosed, which makes it an interesting move by the hackers [who] possibly genuinely only wanted to make a certain amount from the stolen information.”
What to do if you were affected
For affected users, Moore recommends: “It goes without saying to make sure that if you have an account with any of the listed compromised services then make sure you change your password and where available, activate two-factor authentication as an extra layer of protection.”
Daniel Lewis, CEO and co-founder of cybersecurity firm Awen Collective, added: “We recommend that everybody, including those people using the Dave service, to check whether their details have been compromised by plugging their email address into the HaveIBeenPwned website.” (It's safe to use.)
Tom's Guide would also suggest that everyone use one of the best password managers so that a breach involving one of your accounts doesn't end up involving all of your accounts.
- More: Stay anonymous without the spend with a cheap VPN
Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!