User information was stolen from 16 popular apps and services and is being sold on the dark web, according to a report in the UK’s The Register. The breach released more than 617 million user accounts to a seller on the dark web, Dream Market, who offered the login details for less than $20,000 in Bitcoin.
Apps affected by this breach include MyFitnessPal, HauteLook, Dubsmash, My Heritage, ShareThis, Animotos, BookMat, EyeEM, 8fit, Whitepages, Fotolog, 500px, Armor Games, Coffee Meets Bagel, DataCamp and Artsy. Of the apps impacted by the breach, several have millions of user accounts; Dubsmash, which has 162 users, and MyFitnessPal, which has 151 million, according to the report, have the most accounts that have been compromised in this breach.
Information breached includes account holder names, email addresses, and passwords, in addition to social media authentication tokens, location or other personal details, depending on the site. No payment or banking information was available in the sales listings, according to the report.
Websites, including MyHeritage, MyFitnessPal, and Animoto, disclosed this breach to customers last year, the report said, but the additional companies were newly hacked. A spokesman for MyFitnessPal told The Register that they asked users to reset their passwords following the breach last year.
“We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed their passwords since that March 29, 2018 announcement, to reset their passwords,” said Erin Wendell, spokesperson for MyFitnessPal. “As a result, passwords previously used for MyFitnessPal at the time of the date security issues are no longer valid on MyFitnessPal, and we continue to encourage strong password practices, including unique and complex passwords for all their accounts to enable users to further protect themselves.”
Any buyer would have to crack the encryption to gain access to these password-protected accounts. In order to use any of these accounts, the buyer would have to be cracked before they can be used, which can be done at times by using older email addresses from prior breaches. Users who have accounts with any of the affected services should change their password, if they haven’t already.