Hackers Openly Selling Personal Data On Dark Web

The brazen nature of cyber criminals became clear this week as private data was placed up for sale on the dark web marketplace, Dream Market.

In total, over 617 million hacked accounts were made available for purchase by a cyber criminal or cyber criminal outfit using the name Gnosticplayers.

Although such a huge amount of information has been stolen, it is thought that the data was extracted from only 16 data breaches, highlighting the extent of potential attacks.

According to their profile page, Gnosticplayers openly publicise the data that is on offer: “Feel free to message me here on Dream Market to tell me what kind of data you’re searching (crypto, gaming, or huge data sets), and I will list it here for sale right after.

“Since I have a huge reserve of fresh data, I probably have what you need. If the data does not correspond to what the breach information specifies, do an escrow dispute. However, carefully read the listing of what you’ll receive because if you purchase it you agree to receive the specified data.”

Worryingly, many of the sites the information was hacked from have not reported the data breach, indicating that they were unaware of the hack or failed to disclose it for fear of reputational damage.

What has become clear is that previously compromised sites such as MyFitnessPal and Animoto were part of the data bundle being sold. Previously unreported sites such as photography site 500px were also exposed during the attack.

It is thought that the data contains a variety of sensitive information including email addresses, passwords and personal details.

Ilkka Turunen, global director at software firm SonatypeA, said: “A number of the breached sites failed to disclose the attacks, indicating that they weren’t aware of the hack, or opted not to reveal it, and thus could fall foul of GDPR and be subject to serious fines. Either way, it’s likely to be concerning for consumers, who will bear the brunt of the attacks.”

“Compounding this is the fact that the breaches may have been preventable. The hacker stated they exploited security vulnerabilities in web apps and website code – from a software perspective, such vulnerabilities are easy to fix. Yet despite this, companies negate to do so… As consumer awareness increases, they are likely to become much less tolerant of those companies who fail to implement proper security when they have the tools available to do so.”

How secure is the data held within your law firm? Have you ensured that all cyber security policies are in place to prevent attacks?