A Hacker Has Dumped Nearly One Billion User Records Over the Past Two Months

A hacker who spoke with ZDNet in February about wanting to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records last week and reaching a grand total of 932 million records overall. From a report: The hacker's name is Gnosticplayers, and he's responsible for the hacks of 44 companies, including last week's revelations. Since mid-February, the hacker has been putting batches of hacked data on Dream Market, a dark web marketplace for selling illegal products, such as guns, drugs, and hacking tools. He's released data from companies like 500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names. Releases have been grouped in four rounds -- Round 1 (620 million user records), Round 2 (127 million user records), Round 3 (93 million user records), and Round 4 (26.5 million user records).

You're saying shitty websites have poor security?

[Anonymous Coward]

"500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names." Other than underarmor, THESE are the BIGGER NAMES? Lol.

Re:

[bev_tech_rob]

"500px, UnderArmor, ShareThis, GfyCat, and MyHeritage, just to name the bigger names." Other than underarmor, THESE are the BIGGER NAMES? Lol.

IKR? Never heard of any of these short of UnderArmor and I haven't heard any news from that outfit for a long time.

Re:So?

[Anonymous Coward]

My pass phrase is 1kb long.

That is a insecure pass phrase. "1Kb L0nG$" would be better.

Re:

[Anonymous Coward]

My pass phrase is 1kb long.

That is a insecure pass phrase. "1Kb L0nG$" would be better.

Funny!

Re:

[Nidi62]

My pass phrase is 1kb long.

That is a insecure pass phrase. "1Kb L0nG$" would be better.

Dammit! Now I have to change the combination on my luggage!

Re:So?

[JaredOfEuropa]

My pass phrase is 1kb long. Good fucking luck with that

Worst pickup line ever...

Re:

[Anonymous Coward]

The hash is most likely far shorter than that 1kb number, and I am not sure if that is kilobits or kilobytes being referenced. Assuming a strong SHA512 hash and a 1kb password, you have introduced many collisions with more modest length passwords.

Re:

[ebvwfbw]

"Mail from Security Minded People."
Please check the strength of your password using our free tool:
www.www.com/passwordchecker.py

Why my PW is 1kb... Should say it's strong. Let me cut & paste it in.
See, says it the best it has ever seen!
I'm so smart. I'm so smart...

I joke about this, however I work someplace and the guy in charge of the windows people typed his password into the checker in less than 5 minutes. This was the day after phishing awareness training.

If you want to keep things secure, get rid o

Re:So?

[Locke2005]

"Do you think maybe he's compensating for something?" -- Shrek

Re:

[93 Escort Wagon]

My pass phrase is 1kb long.

Well, MY pass phrase has 1kg mass.

Re:

[David_Hart]

My pass phrase is 1kb long.

Well, MY pass phrase has 1kg mass.

So, you've been logging into to Slashdot for the last 5 years just for this one post? Was it worth it?

Re:

[Locke2005]

Nah; just fine him $1 for each user profile stolen, and keep him in jail until he pays off the entire fine.

Re:

[Anonymous Coward]

If sentence would be similar to what corporations get for breaking laws, the guy would get a fine of 1% of this net income and by appeal the sum would be halved.

Re:

[ShanghaiBill]

I would be heavily in favour of the death penalty for this moron.

The focus should be on fixing security holes, rather than draconian punishments for those who inevitably exploit them.

Re:

[gweihir]

That would make things better. But some people obviously prefer them to stay bad so they can indulge their sadistic fantasies...

Re:

[Aighearach]

I would be heavily in favour of the death penalty for this moron.

The focus should be on fixing security holes, rather than draconian punishments for those who inevitably exploit them.

Can't we do both?

What is your theory as to why we can't have nice things?

Re:

[gweihir]

Just shows you are a vicious cave-man. The death-"penalty" has no deterrence value and is just revenge. As such it makes matters worse. Great job.

Re: In all seriousness...

[Viol8]

Care to name anyone who's reoffended after being executed?

Re:

[Anonymous Coward]

Care to name anyone who's reoffended after being executed?

Exactly the same number as have reoffended after serving a life sentence without eligibility for parole. Killing them back accomplishes nothing, but does exclude the possibility of exoneration in the large number of cases where someone has been wrongly convicted.

Re:

[gweihir]

That is unlikely. Most people are not cave-men that think murder (whether by the state or otherwise) is acceptable.

Re:

[Viol8]

Cave men like that saved your parents arse in WW2. Perhaps you think Hitler and the Japanese should have just had stern words spoken to them?

Moron.

Re:

[sarren1901]

If you stop letting people appeal after appeal after appeal it wouldn't cost so much. Criminals like James Holmes where they is zero doubt of who committed the crime. Why keep those people alive? Saying it cost to much is just the system being broken. Killing someone is extremely cheap. Just ask James Holmes.

For some reason though, we would rather waste money on keeping him alive. I guess he's worth our taxes dollars, eh? Surely no other way we could spend that money but instead we let him live.

In extremely

Re:

[gweihir]

Wow, you really do not understand how things work. And even with your primitive approach, it would still not have any deterrence value.

Re:

[Viol8]

Who said deterence is the only goal? Prevention of further crimes by the criminal is just as important and the death penalty does that perfectly with the added bonus of not costing the same as a 4 star hotel to keep them incarcerated for their rest of their lives.

Re:

[gweihir]

That is not what "deterrence" means.

Re:

[Anonymous Coward]

Care to name anyone who's reoffended after being executed?

You thought you were trolling, but I've got a serious answer to that:

Jesus Christ ("offended" the archaic laws in place in 1BC)

Justice isn't always fair -- it's enforcing the laws in place at the time. One of the failings of our justice system is that the system itself can be wrong at times and yet we still strive for the harshest penalty for someone who may have been right in the truest sense.

Re:

[humankind]

I'm not condoning his actions in the slightest.

But you do realize what he's doing basically, Google and Facebook and many others also do every day?

In other news...

[BringsApples]

...People all over the world are continuously giving their data away to FaceBook for free.

Re:

[Anonymous Coward]

Someone finally sees the elephant in the room. Nobody notices because they're all too bloody busy with the noses in their mobiles clicking "Like" and "Subscribe".

life during wartime

[Anonymous Coward]

I've had my identity stole so many times
I don't know what I look like!

Weird grammar

[Daetrin]

"wanting to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records last week and reaching a grand total of 932 million records overall."

"Dangerously close"? I'm not going to argue that this isn't bad, but does something magical happen when he releases the data for the billionth user and reaches his goal that makes it especially dangerous? Shouldn't releasing records 932,000,001 through 1,000,000,000 be at _most_ about 6.8%

Sure sure

[jbmartin6]

This appears to be the same person behind the "Collection #1" releases circa Jan 18th. it was just a collection of a bunch of older dumps [krebsonsecurity.com] i.e. data aggregated from other breaches [pcmag.com]. I didn't see any reason to think this person was behind all of the hacks, I got the sense he might also brag he could hack into any porn site on the Internet by putting in his mom's credit card number.

Advice

[Required Snark]

Never sign up for anything ever.

Really. Don't do online payments, don't subscribe to news organizations, don't stream games, don't get email notifications, nothing. The only sort of safe exception is medical information under HIPPA.

Remember no organization is at risk if they leak your info. The cost of a breach is just factored into the cost of doing business. That's why HIPPA is an exception. Medical information leaks are treated extremely seriously and they can even cause an organization to be shut down.

The only one who is at risk if personal data becomes public is you. Organizations don't give a damn about you.

Re:

[Anonymous Coward]

Dammit, I wanna sign up just to get the points to mod you up.

Re:

[Anonymous Coward]

That's why HIPPA is an exception. Medical information leaks are treated extremely seriously and they can even cause an organization to be shut down.

For those of us who work with HIPPA data on a daily basis vs. non-HIPPA data - yes its treated more seriously. BUT, at the end of the day - its another factored risk. Paraphrasing Fight Club:

"Take the number of (HIPPA records), A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of (properly securing against a data breach), we don't (bother with proper data security)."

Business woman on plane:
Are there a lot of these kinds of (exposures)?

Narrator:
You wouldn't believe.

Business woman on plane:
Which (HIPAA complaint) company do you work for?

Narrator:
A major one.

Or sign up under a false persona

[ron_ivi]

You get much more fun junk mail if you claim your income's >$400,000; and your interests include hunting rifles and endangered species.

Re:

[davesays]

HIPPA is not an exception, it promises punishment of violations not guarantees of privacy... I respect your remarks, but even the DOD doesn't keep their stuff private.

Re:

[jbmartin6]

Have there been any serious repercussions from HIPAA violations? Medical data get shared around so widely with various medical specialists, claims specialists, coders and re-coders, government agencies, research teams, etc. that 'secret' is no way to describe it. It is generally not in the forefront of news outlets since it is a bit harder to monetize, but there is plenty of medical fraud already going on with leaked health records.