747 Million Stolen Accounts Up For Sale: What To Do

A mysterious figure with the username "gnosticplayers" has put more than 700 million stolen accounts up for sale on the Dream Market dark-web network.

Credit: Feeling Lucky/Shutterstock

(Image credit: Feeling Lucky/Shutterstock)

More than 127 million records stolen from eight different websites went up on Thursday. The seller is asking for a combined $14,500 in bitcoin, reports Bleeping Computer. Earlier this week, The Register reported that the same user put up 620 million accounts from 16 hacked websites, asking for "less than $20,000 in Bitcoin."

The accounts are compiled from 24 breached websites. Some already knew they had been breached: MyFitnessPal, famously hacked last March, accounts for 151 million sets of credentials, and MyHeritage another 92 million. Other sites, including YouNow, Dubsmash , Whitepages, Artsy, DataCamp and dating service CoffeeMeetsBagel were surprises.

MORE: What to Do After a Data Breach

Both sellers' postings have since been removed, and it's unclear whether the two data stashes are still up for sale. The seller told The Register that at least the data from Dubsmash have been purchased by at least one person.

What exactly is for sale? It varies by platform. Mainly, these datasets include account-holder names, email addresses and passwords. Most of these passwords are encrypted, but many internet services still use outdated and breakable hashes.

Some users should be more worried. Two million stolen accounts from file-sharing service Ge.tt contain Facebook IDs and referers, while 18 million accounts from booking site Ixigo.com include IP addresses, email addresses, and even some passport numbers.

None of these data dumps purport to contain billing or bank information, which may be one of the reasons they aren't priced higher. That said, users often employ similar usernames and passwords across accounts. So a buyer of your MyFitnessPal account may try to use that information to log into your Facebook, Gmail, or bank account.

If you have an account on one of these platforms, change your password now. You'll also need to make sure you're not using that same username or password for any other accounts.

Here's the full list of hacked websites in these two dumps:

Animoto 25,402,283 accounts
Armor Games 11,013,617 accounts
Artsy 1,070,000 accounts
Bookmate 8,026,992 accounts
CoffeeMeetsBagel 6,174,513 accounts
CoinMama 420,000 accounts
DataCamp 700,000 accounts
Dubsmash: 161,549,210 accounts
8fit: 20,180,667 accounts
EyeEm: 22,360,765 accounts
Fotolog: 16 million accounts
500px: 14,870,304 accounts
Ge.TT 1.83 million accounts
HauteLook 28 million accounts
Houzz 57 million accounts
Ixigo 18 million accounts
MyFitnessPal 150,633,038 accounts
MyHeritage 92,284,478 accounts
PetFlow 1 million accounts
Roll20 4 million accounts
ShareThis 41,028,098 accounts
StrongHoldKingdoms 5 million accounts
Whitepages 17,775,679 accounts
YouNow 40 million accounts

Make sure that your new password is more than 12 characters long, and complicated. As we've reported previously, it's disturbingly easy to decrypt a password that's eight characters or shorter.

And in the future, we hope this incident will serve as a reminder: Use a secure password, and don't duplicate across accounts. 

TOPICS

Monica Chin is a writer at The Verge, covering computers. Previously, she was a staff writer for Tom's Guide, where she wrote about everything from artificial intelligence to social media and the internet of things to. She had a particular focus on smart home, reviewing multiple devices. In her downtime, you can usually find her at poetry slams, attempting to exercise, or yelling at people on Twitter.

Latest in Online Security
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Google Chromecast
Google has a fix for broken Chromecasts as long as you didn't factory reset
NYTimes Connections
NYT Connections today hints and answers — Friday, March 14 (#642)
Nvidia ACE
I played with Nvidia's AI NPC prototypes — now they're real, and I fear I'll never finish a game again
iPhone 17 Air vs iPhone 17 Pro Max
iPhone 17 Air vs iPhone 17 Pro Max: Biggest rumored differences
Intel CPU
Intel's Panther Lake appears in public for the first time — what we know about the new chip
OnePlus Pad 2 with keyboard
OnePlus Pad 2 Pro specs leak — this tablet is a beast