Hacker who stole 620 million records strikes again, stealing 127 million more

A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from eight more websites, TechCrunch has learned.

The hacker, whose listing was the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites — some that had already been disclosed, like more than 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn’t know or hadn’t disclosed yet — such as 500px and Coffee Meets Bagel.

The Register, which first reported the story, said the data included names, email addresses and scrambled passwords, and in some cases other login and account data — though no financial data was included.

Now the same hacker has eight additional marketplace entries after their original listings were pulled offline, including:

  • 18 million records from travel booking site Ixigo
  • Live-video streaming site YouNow had 40 million records stolen
  • Houzz, which recently disclosed a data breach, is listed with 57 million records stolen
  • Ge.tt had 1.8 million accounts stolen
  • 450,000 records from cryptocurrency site Coinmama.
  • Roll20, a gaming site, had 4 million records listed
  • Stronghold Kingdoms, a multiplayer online game, had 5 million records listed
  • 1 million records from pet care delivery service PetFlow

According to the hacker’s listings, Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow doesn’t store passwords, a spokesperson said.

In all, the hacker is selling the hacked data for about $14,500 in bitcoin.

The dark web marketplace listing for Houzz. (Image: TechCrunch)

Ariel Ainhoren, research team leader at Israeli security firm IntSights, said that the hacker may have used the same security flaw to target vulnerable sites.

Six of the 16 databases were running the same back-end PostgreSQL database software, said Ainhoren in an email to TechCrunch. In successfully exploiting the bug, the hacker was able to “dump” the database to a file and download it.

“We’re still analyzing it, but it could have been that he used some kind of vulnerability that surfaced around that time and wasn’t patched by these companies or a totally new unknown vulnerability,” he said. “As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it.”

When reached, Jonathan Katz, a contributor for PostgreSQL, said the open-source project was “currently unaware of any patched or unpatched vulnerabilities that could have caused these breaches.”

“There are many factors that need to be taken into consideration when securing a database system that go beyond the database software. We have often found that data breaches into a PostgreSQL database involve an indirect attack vector, such as a flaw in an application accessing PostgreSQL or a suboptimal policy around data management,” he said. “When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”