617 million accounts from 16 hacked websites are reportedly being sold on the dark Web. Belonging to websites and apps like Dubsmash, MyFitnessPal, 500px, and ShareThis, the hacked account information is said to include names, email addresses, and encrypted passwords. Part of data dump also includes location information, social media authentication tokens, and personal details. After the publication of the leak news by a website, a number of the hacked websites have confirmed the breaches, giving credibility to the complete data dump.
According to a report in The Register, an alleged seller had approached the website and revealed the availability of the stolen data on the dark Web. The seller told the website that they have access to 20 databases containing the hacked accounts, but they were keeping some of them secret for private use. 16 of the hacked databases belonging to Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, and DataCamp have been put on sale. Dubsmash database is said to be the biggest with over 162 million accounts.
The Register claims that it has seen a sample of the accounts put on sale and it does seem to appear legitimate. Also, after The Register's report, the likes of 500px and EyeEm has confirmed that they were indeed hacked and they are informing their users to change their passwords.
“If you were a 500px user on or prior to July 5, 2018, you have been affected,” 500px wrote in a blog post detailing the hack.
The hacked databases from MyHeritage, MyFitnessPal, and Animoto seem to be part of the previous breaches that the company have already disclosed in the past. The seller claims that all of the databases published on the dark Web are new and haven't been previously published online.
Here is a quick look at how many accounts belonging of different websites have been hacked:
If you are a user of any of the websites and apps mentioned above, it is most important that you immediately change your password. If you have used the same password on any other websites, change it on that website as well. It is not recommended to reuse passwords. Normally tools like HaveIBeenPwned reveal if your account information has been published online or on the dark Web. It is unclear whether the HaveIBeenPwned database has been updated to include the latest data dumps.