841 Million User Records for Sale on the Dark Web
In the last few weeks, an unknown hacker has put 841 million user records up for sale on the dark web. The user records aren't from a single source—they comprise data from 30 different companies and include a wide range of personal information. So far, no financial data has been reported stolen.
According to The Register, which first reported the story, the seller has stolen “roughly a billion accounts from servers to date since they started hacking in 2012.” Why? The seller hopes to make money, but also hopes to make “life easier” for hackers by selling usernames and password hashes to help them break into other accounts. Ironically, the seller also highlighted the importance of people taking security more seriously, citing two-factor authentication as a good way to protect against password theft.
Want to make life harder for scammers?
Check out our free username generator and random password generator tools.
Think you have a strong password? Use our password strength tester tool to put it to the test!
What personal data is for sale on the dark web, by company
According to The Register and Tech Crunch—which followed up the original story with additional information—user data from these 30 companies is being sold on the dark web for bitcoin. If you have an account with any of the following companies, please update your account password now as well as any other account passwords that are the same or similar:
500px: 14.8 million accounts
The 500px hack included the following data per account:
- Username
- Email address
- MD5-, SHA512-, or bcrypt-hashed password
- Hash salt
- First and last name
- Birthday (if it was provided)
- Gender (if it was provided)
- City (if it was provided)
- Country (if it was provided)
8fit: 20.1 million accounts
The 8fit hack included the following data per account:
- Email address
- bcrypted-hashed password
- Country
- Country code
- Facebook authentication token
- Facebook profile picture
- Name
- Gender
- IP address
Animoto: 25.4 million accounts
The Animoto hack included the following data per account:
- User ID
- SHA256-hashed password
- Password salt
- Email address
- Country
- First and last name
- Date of birth
Armor Games: 11 million accounts
The Armor Games hack included the following data per account:
- Username
- Email address
- SHA1-hashed password and salt
- Date of birth
- Gender
- Location
- Other profile details
Artsy: 1 million accounts
The Artsy hack included the following data per account:
- Email address
- Name
- IP address
- Location
- SHA512-hashed password with salt
Bookmate: 8 million accounts
The Bookmate hack included the following data per account:
- Username
- Email address
- SHA512- or bcrypt-hashed password with salt
- Gender
- Date of birth
- Other profile details
ClassPass: 1.5 million accounts
The ClassPass hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
CoffeeMeetsBagel: 6.1 million accounts*
The CoffeeMeetsBagel hack included the following data per account:
- Full name
- Email address
- Age
- Registration date
- Gender
Coinmama: 450 thousand accounts
The Coinmama hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
DataCamp: 700 thousand accounts
The DataCamp hack included the following data per account:
- Email address
- bcrypt-hashed password
- Location
- Other profile details
Dubsmash: 161.5 million accounts
The Dubsmash hack included the following data per account:
- User ID
- SHA256-hashed password
- Username
- Email address
- Language
- Country
- First and last name (not included for all accounts)
EyeEm: 22.3 million accounts
The EyeEm hack included the following data per account:
- Email address (for all but three million accounts)
- SHA1-hashed password
Fotolog: 16 million accounts
The Fotolog hack included the following data per account:
- Email address
- SHA256-hashed passwords
- Security questions and answers
- Full names
- Locations
- Interests
- Other profile details
Ge.tt: 18 million accounts
The Ge.tt hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Gfycat: 8 million accounts
The Gfycat hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
HauteLook: 28 million accounts
The HauteLook hack included the following data per account:
- Email address
- bcrypt-hashed password
- Name
Houzz: 57 million accounts
The Houzz hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Ixigo: 18 million accounts
The Ixigo hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Jobandtalent, Legendas.tv, OneBip, and Storybird: 20 million accounts combined
The Jobandtalent, Legendas.tv, OneBip, and Storybird hacks included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
MyFitnessPal: 150.6 million accounts
The MyFitnessPal hack included the following data per account:
- User ID
- Username
- Email address
- SHA1-hashed password with a fixed salt for the whole table
- IP address
MyHeritage: 92.2 million accounts
The MyHeritage hack included the following data per account:
- Email address
- SHA1-hashed password and salt
- Date of account creation
PetFlow: 1 million accounts
The PetFlow hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Pizap: 60 million accounts
The Pizap hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Roll20: 4 million accounts
The Roll20 hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
The ShareThis hack included the following data per account:
- Name
- Username
- Email address
- DES-hashed password
- Gender
- Date of birth
- Other profile details
StreetEasy: 1 million accounts
The StreetEasy hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Stronghold Kingdoms: 5 million accounts
The Stronghold Kingdoms hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Passwords hashed in different formats
- Other account details
Whitepages: 17.7 million accounts
The Whitepages hack included the following data per account:
- Email address
- SHA1- or bcrypt-hashed password
- First and last name
YouNow: 40 million accounts*
The YouNow hack included some combination of the following data:
- Usernames
- Email addresses
- Names
- Locations
- Account creation dates
- Other account details
*No action is required for these accounts, as they reportedly don't store passwords
Dashlane’s Dark Web Monitoring, available to all individual users on a business plan, is a simple way to alert employees when their information appears on the dark web. Here’s how it works:
- Each employee adds up to five of their email addresses, business or personal.
- Dashlane scans billions of accounts and passwords available in data collections on the dark web and flags any exposed accounts with a prompt to take action.
- Employees can click on a button for the flagged credential, which will take them to the login page of that account to change their password immediately. They can use Dashlane’s Password Generator to create a strong, randomized password.
- Dashlane will continue to scan the dark web and will send an automatic alert if any personal data is discovered.
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.
