144 million records from new data breaches being sold online: What to do

News
By published

Only four of 14 affected firms have reported data breaches

database hacker
(Image credit: Getty Images)

User information stolen in data breaches at 14 companies is being sold on the online black market, and more than 144 million users may be at risk.

According to Bleeping Computer, an infamous data broker is at the heart of the operation. While the 14 databases differ in the types of information they hold, each contains usernames and hashed passwords, although not all the password hashes are likely to be cracked.

The compromised databases originate from online food services, gaming websites, sports streaming services, financial services companies, clothes retailers and a range of other companies. 

The affected companies and services are Dark Throne, Efun, Fluke, Footters, HomeChef, JamesDelivery, KitchHike, KreditPlus, Minted, Playwings, Revelo, Tokopedia, Yotepresto and Zoosk, and the stolen data contains more than 144 million records in total.

According to the stolen-data seller, all these breaches took place from January to June 2020. Of the 14 companies, Bleeping Computer reports, just HomeChef, Minted, Tokopedia and Zoosk have announced data breaches, but Bleeping Computer said the data it saw from the other companies looked "legitimate."

Sold to the highest bidder

The data broker told Bleeping Computer he was selling the contents of each database for prices ranging between $100 and $1,100. The largest data stash holds 91 million records from Tokopedia, an Indonesian e-commerce company, while the smallest holds 115,000 records from Japanese food-and-travel site KitchHike.

The same data broker is also selling data stolen from companies that have been compromised in the past. They include the likes of Wirecard, ClickFunnels, Reverb Nation, ZyngaPoker, Star Tribune and Epic Games. 

The KitchHike account passwords were protected with the very strong hashing algorithm Bcrypt, according to a screenshot posted by Bleeping Computer. If so, the KitchHike passwords are probably safe, but there's no guarantee that passwords that were part of the other databases would have been as well protected.

The KitchHike data also included usernames, email addresses, real names, geographic locations, social-media profiles and phone numbers, so there's plenty for spammers and phishers to work with even without cracking a password.

If you have an account with any of these breached websites and online services, you should change your account password right away, and make sure the new password something strong and unique. One of the best password managers will be of enormous help. You should also contact the affected company for advice.

If your information is indeed among this stolen data, you may want to consider one of the best identity-theft protection services, which can help limit the damage.

  • More: Stay anonymous without the spend with a cheap VPN
Nicholas Fearn

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!