Stolen user information from 16 popular apps and services including Dubsmash and MyFitnessPal is now being sold on the dark web, according to a report from The Register. A seller on the dark web marketplace Dream Market has come forward offering login details for more than 617 million accounts for just under $20,000, to be paid in Bitcoin.
The seller claims that the several-gigabyte database contains usernames, email addresses and passwords for accounts to a number of popular websites and apps. Affected services include Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, Coffee Meets Bagel, Artsy and DataCamp. Some services including Coffee Meets Bagel, which has suffered from some lax security practices in the past, have sent out an email to users informing them of a breach -- probably not the message people want to receive from a dating app on Valentine's Day.
Most of the passwords are believed to be encrypted and hashed, meaning any buyer will have to crack the encryption to gain access to the accounts. However, because data breaches have become some common, a purchaser could cross-reference email addresses with previous breaches. If a person has reused a password, their account may be compromised. As a precaution, if you've used any of the affected services, it's probably best to change your password.