A mysterious figure with the username "gnosticplayers" has put more than 700 million stolen accounts up for sale on the Dream Market dark-web network.
More than 127 million records stolen from eight different websites went up on Thursday. The seller is asking for a combined $14,500 in bitcoin, reports Bleeping Computer. Earlier this week, The Register reported that the same user put up 620 million accounts from 16 hacked websites, asking for "less than $20,000 in Bitcoin."
The accounts are compiled from 24 breached websites. Some already knew they had been breached: MyFitnessPal, famously hacked last March, accounts for 151 million sets of credentials, and MyHeritage another 92 million. Other sites, including YouNow, Dubsmash , Whitepages, Artsy, DataCamp and dating service CoffeeMeetsBagel were surprises.
MORE: What to Do After a Data Breach
Both sellers' postings have since been removed, and it's unclear whether the two data stashes are still up for sale. The seller told The Register that at least the data from Dubsmash have been purchased by at least one person.
What exactly is for sale? It varies by platform. Mainly, these datasets include account-holder names, email addresses and passwords. Most of these passwords are encrypted, but many internet services still use outdated and breakable hashes.
Some users should be more worried. Two million stolen accounts from file-sharing service Ge.tt contain Facebook IDs and referers, while 18 million accounts from booking site Ixigo.com include IP addresses, email addresses, and even some passport numbers.
None of these data dumps purport to contain billing or bank information, which may be one of the reasons they aren't priced higher. That said, users often employ similar usernames and passwords across accounts. So a buyer of your MyFitnessPal account may try to use that information to log into your Facebook, Gmail, or bank account.
If you have an account on one of these platforms, change your password now. You'll also need to make sure you're not using that same username or password for any other accounts.
Here's the full list of hacked websites in these two dumps:
Animoto 25,402,283 accounts
Armor Games 11,013,617 accounts
Artsy 1,070,000 accounts
Bookmate 8,026,992 accounts
CoffeeMeetsBagel 6,174,513 accounts
CoinMama 420,000 accounts
DataCamp 700,000 accounts
Dubsmash: 161,549,210 accounts
8fit: 20,180,667 accounts
EyeEm: 22,360,765 accounts
Fotolog: 16 million accounts
500px: 14,870,304 accounts
Ge.TT 1.83 million accounts
HauteLook 28 million accounts
Houzz 57 million accounts
Ixigo 18 million accounts
MyFitnessPal 150,633,038 accounts
MyHeritage 92,284,478 accounts
PetFlow 1 million accounts
Roll20 4 million accounts
ShareThis 41,028,098 accounts
StrongHoldKingdoms 5 million accounts
Whitepages 17,775,679 accounts
YouNow 40 million accounts
Make sure that your new password is more than 12 characters long, and complicated. As we've reported previously, it's disturbingly easy to decrypt a password that's eight characters or shorter.
And in the future, we hope this incident will serve as a reminder: Use a secure password, and don't duplicate across accounts.