Fourth Major Credential Spill in a Month Hits DreamMarket

Gnosticplayers has released about 26 million records from what he said are breaches of six new companies.

The hacker behind more than 840 million account records appearing for sale on the Dark Web in February (in dumps collectively known as Collections 1-3) is back with 26.42 more records from six companies.

The adversary, who goes by the handle Gnosticplayers, is asking just 1.2431 in Bitcoin (roughly $4,940), according to ZDnet, which spotted the records for sale on DreamMarket over the weekend.

With this latest credential dump, a total of 38 companies have found their users’ account data up for sale on the underground at the hands of Gnosticplayers. The six companies impacted this time are an eclectic bunch, comprising the GameSalad developer platform, a Brazilian Amazon-equivalent called Estante Virtual, project-management apps Coubic and LifeBear, and two Indonesian companies: The Bukalapak e-commerce giant and a student career site, YouthManual.

The hacker told ZDnet that he obtained these records just last month, and that they all lacked strong encryption for their passwords. So far, the records haven’t been confirmed as legitimate, but if past is prologue, it’s worth noting that previous collections were confirmed as containing real user data.

Gnosticplayers told the outlet that the “lack of security in 2019 is making me angry” – but the motivation seems less than altruistic given the financial gain he’s looking for; he admitted to trying to extort companies in exchange for not publishing the credentials. Some gave into his demands and so their records weren’t published, he claimed.

“After four rounds of user records being put up for sale by this entity, there is a clear pattern that speaks to the way we utilize personal data,” George Wrenn, CEO at CyberSaint Security, said via email. “This data – 26 million records – was obtained within just the past few months. This is not a small incident, as mass amounts of individuals’ personal data is being sold. If anyone had any doubts before, this example should convince them that data truly is the new currency.”

If the claim that the records are freshly hacked turns out to be true, that will be a departure from the previous collections; Collection #1 for instance contained records culled from breaches that occurred as far back as 2010, including the well-known compromise of Yahoo. Fresher data translates into more acute danger of course; users are less likely to have rotated their passwords on accounts that were active a month or less ago. In other words, the account details are much less likely to be outdated.

That could give even more wings to the escalating issue of credential-stuffing and brute-force attacks, where cybercriminals bank on password reuse by trying stolen credentials against other, perhaps higher-value prey, such as online banking portals.

Some in the defense community are saying enough is enough.

“The frequent and recurrent instances of anonymous hackers selling large quantities of stolen identities emphasizes the profound impunity of these crimes,” John Gunn, CMO at OneSpan, said via email. “Using modern hacking tools, criminals can operate with little risk of being caught or ever brought to justice and the result is billions of dollars of losses. To me, this is a strong argument in favor of allowing counter attacks against these anonymous parties by state and private organizations.”

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.