User information stolen in data breaches at 14 companies is being sold on the online black market, and more than 144 million users may be at risk.
According to Bleeping Computer, an infamous data broker is at the heart of the operation. While the 14 databases differ in the types of information they hold, each contains usernames and hashed passwords, although not all the password hashes are likely to be cracked.
- The best antivirus software to keep you and your devices safe
- VPN: add an extra layer of security with a virtual private network
- Just In: Hack a PS4, and Sony might pay you $50,000
The compromised databases originate from online food services, gaming websites, sports streaming services, financial services companies, clothes retailers and a range of other companies.
The affected companies and services are Dark Throne, Efun, Fluke, Footters, HomeChef, JamesDelivery, KitchHike, KreditPlus, Minted, Playwings, Revelo, Tokopedia, Yotepresto and Zoosk, and the stolen data contains more than 144 million records in total.
According to the stolen-data seller, all these breaches took place from January to June 2020. Of the 14 companies, Bleeping Computer reports, just HomeChef, Minted, Tokopedia and Zoosk have announced data breaches, but Bleeping Computer said the data it saw from the other companies looked "legitimate."
Sold to the highest bidder
The data broker told Bleeping Computer he was selling the contents of each database for prices ranging between $100 and $1,100. The largest data stash holds 91 million records from Tokopedia, an Indonesian e-commerce company, while the smallest holds 115,000 records from Japanese food-and-travel site KitchHike.
The same data broker is also selling data stolen from companies that have been compromised in the past. They include the likes of Wirecard, ClickFunnels, Reverb Nation, ZyngaPoker, Star Tribune and Epic Games.
The KitchHike account passwords were protected with the very strong hashing algorithm Bcrypt, according to a screenshot posted by Bleeping Computer. If so, the KitchHike passwords are probably safe, but there's no guarantee that passwords that were part of the other databases would have been as well protected.
The KitchHike data also included usernames, email addresses, real names, geographic locations, social-media profiles and phone numbers, so there's plenty for spammers and phishers to work with even without cracking a password.
If you have an account with any of these breached websites and online services, you should change your account password right away, and make sure the new password something strong and unique. One of the best password managers will be of enormous help. You should also contact the affected company for advice.
If your information is indeed among this stolen data, you may want to consider one of the best identity-theft protection services, which can help limit the damage.
- More: Stay anonymous without the spend with a cheap VPN