{
	"id": "87c6c0ca-ec5d-4f8e-9ebb-8435cd7fbd19",
	"created_at": "2026-04-06T00:11:53.846836Z",
	"updated_at": "2026-04-10T03:20:05.079282Z",
	"deleted_at": null,
	"sha1_hash": "34e60d4806779a12e828d4f9fe92d385f13e844d",
	"title": "620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69655,
	"plain_text": "620 million accounts stolen from 16 hacked websites now for sale\r\non dark web, seller boasts\r\nBy Chris Williams\r\nPublished: 2019-02-11 · Archived: 2026-04-02 10:38:48 UTC\r\nExclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the\r\ndark web, according to the data trove's seller.\r\nFor less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the\r\nDream Market cyber-souk, located in the Tor network:\r\nDubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million),\r\nHauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million),\r\nFotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6\r\nmillion), Artsy (1 million), and DataCamp (700,000).\r\nSample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist\r\nmainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way\r\nencrypted, and must therefore be cracked before they can be used.\r\nThere are a few other bits of information, depending on the site, such as location, personal details, and social\r\nmedia authentication tokens. There appears to be no payment or bank card details in the sales listings.\r\nWho are the buyers?\r\nThese silos of purportedly purloined information are aimed at spammers and credential stuffers, which is why\r\ncopies are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into\r\naccounts on other websites where the users have used the same credentials.\r\nSo, for example, someone buying the purported 500px database could decode the weaker passwords in the list,\r\nbecause some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked\r\npassword combinations to log into, say, strangers' Gmail or Facebook accounts, where the email address and\r\npasswords have been reused.\r\nAll of the databases are right now being touted separately by one hacker, who says he or she typically exploited\r\nsecurity vulnerabilities within web apps to gain remote-code execution and then extract user account data. The\r\nrecords were swiped mostly during 2018, we're told, and went on sale this week.\r\nThe seller, who is believed to be located outside of the US, told us the Dubsmash data has been purchased by at\r\nleast one person.\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 1 of 7\n\nSome of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked\r\nas they warned their customers last year that they had been compromised, whereas the others are seemingly newly\r\ndisclosed security breaches. In other words, this is the first time we've heard these other sites have been allegedly\r\nhacked. This also marks the first time this data, for all of the listed sites, has been peddled publicly, again if all the\r\nsellers' claims are true.\r\nIs this legit?\r\nA spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from\r\nits servers in October 2017, a cyber-break-in it told the world about in 2018. ShareThis, CoffeeMeetsBagel, 8fit,\r\n500px, DataCamp, and EyeEm also confirmed their account data was stolen from their servers and put up for sale\r\nthis week in the seller's collection. This lends further credibility to the data trove.\r\nLast week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted\r\nthem, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their account data was potentially\r\nbeing touted on the dark web.\r\nOver the weekend, the underground bazaar was mostly knocked offline, apparently by a distributed denial-of-service attack. On Monday this week, the underworld marketplace returned to full strength, and the seller added\r\nthe rest of the sites. We contacted all of them to alert them, and ask for a response. Meanwhile, Dream Market has\r\nbeen smashed offline again.\r\nHere's a summary of what is, or briefly was, purported to be on sale:\r\nDubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total\r\n11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed\r\npassword, username, email address, language, country, plus for some, but not all the users, the first and the\r\nlast name. This alleged security breach has not been previously publicly disclosed. Dubsmash is a video-messaging application popular with millennials and younger folk.\r\nNew York City-based Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner\r\nSimone McCormick told us:\r\n500px: 14,870,304 accounts for 0.217 BTC ($780) total\r\n1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-,\r\nSHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and\r\ncity and country. 500px is a social-networking site for photographers and folks interested in photography.\r\n\"Our engineering team is currently investigating and if we can confirm there was a breach we will take the\r\nnecessary steps to inform our users as per GDPR standards,\" 500px spokesperson Stephanie Newell told\r\nus.\r\nUpdate: 500px staff are now notifying their users that the site was indeed hacked, and will reset everyone's\r\npasswords, starting with the ones weakly hashed using MD5.\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 2 of 7\n\n\"We are able to confirm a breach occurred,\" Newell told us. \"Our engineers immediately launched a\r\ncomprehensive review of our systems and have since taken every precaution to secure them. All areas of\r\nvulnerability have been identified and fixed during our internal investigation, and we’ve found no evidence\r\nto date of any recurrence of the issue.\r\n\"We are currently working on notifying our entire user base, however, given the amount of users affected,\r\nthis task will span one day at minimum. We’ve taken every precaution to ensure our users' data is safe. A\r\nsystem-wide password reset is currently underway for all users, prioritized in order of accounts with the\r\nhighest potential risk, and we have already forced a reset of all MD5-encrypted passwords.\"\r\nIn addition, 500px, which is based in Canada, said it has taken the following steps to shore up its security:\r\nEyeEm: 22,360,765 accounts for 0.289 BTC ($1,040) total\r\n1.7GB of data taken February 2018. Each account record contains an email address and SHA1-hashed\r\npassword, although about three million are missing an email address. This security breach has not been\r\npreviously publicly disclosed. Germany-based EyeEm is an online hangout for photographers. A\r\nspokesperson did not respond to a request for comment.\r\nUpdate: EyeEm has told its customers it was hacked, and forced a reset of their passwords.\r\n8fit: 20,180,667 accounts for 0.2025 BTC ($728) total\r\n1.9GB of data taken July 2018. Each account record contains an email address, bcrypted-hashed password,\r\ncountry, country code, Facebook authentication token, Facebook profile picture, name, gender, and IP\r\naddress. This security breach has not been previously publicly disclosed. Germany-headquartered 8fit\r\noffers customized workout and diet plans for healthy fitness types.\r\n8fit CEO Aina Abiodun told us her team is investigating, adding: \"I need to get back to you on this and\r\ncan't comment immediately.\"\r\nUpdate: 8fit has confessed to its users that it was hacked, and is resetting their passwords.\r\nFotolog: 16 million accounts for 0.52 BTC ($1,872) total\r\n5.9GB of data taken in December 2018. There are five SQL databases containing information including\r\nemail addresses, SHA256-hashed passwords, security questions and answers, full names, locations,\r\ninterests, and other profile information. This alleged security breach has not been previously publicly\r\ndisclosed. Fotolog, based in Spain, is another social network for photography types. A spokesperson did\r\nnot respond to a request for comment.\r\nAnimoto 25,402,283 accounts for 0.318 BTC ($1,144) total\r\n2.1GB of data taken in 2018. Each account record contains a user ID, SHA256-hashed password, password\r\nsalt, email address, country, first and last name, and date of birth. This security breach was publicly\r\ndisclosed by the NYC-headquartered business in 2018, though this is the first time the data has gone on\r\nsale, we understand.\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 3 of 7\n\n\"We provided notification about an incident potentially affecting customers back in August 2018 after we\r\nidentified unusual activity on our system,\" spokesperson Rebecca Brooks told us. \"After identifying the\r\nsuspicious activity, we immediately took the systems offline and implemented numerous security controls\r\nto help prevent an incident like this from happening again.\"\r\nMyHeritage 92,284,478 accounts for 0.549 BTC ($1,976) total\r\n3.6GB of data taken October 2017. Each account record contains an email address, SHA1-hashed password\r\nand salt, plus the date of account creation. This security breach was publicly disclosed by the business last\r\nyear, though this is the first time the data has gone on sale, we're told. No DNA or similar sensitive\r\ninformation was taken. MyHeritage, based in Israel, is a family-tree-tracing service that studies customers'\r\ngenetic profiles.\r\nA spokesperson told us:\r\nMyFitnessPal 150,633,038 accounts for 0.289 BTC ($1,040) total\r\n3.5GB of data taken February 2018. Each account record contains a user ID, username, email address,\r\nSHA1-hashed password with a fixed salt for the whole table, and IP address. This security breach was\r\npublicly disclosed by the business last year. This may be the first time it has gone on public sale. Under-Armor-owned MyFitnessPal does what it says on the tin: it's an app that tracks diet and exercise. A\r\nspokesperson did not respond to a request for comment.\r\nUpdate: Spokesperson Erin Wendell has told us the biz made every user reset their password following the\r\ndiscovery of the intrusion last year. If you reused your old MyFitnessPal password with other sites, now\r\nwould be a good time to change your password on those other services, if you have not done so already.\r\n\"We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed\r\ntheir passwords since that March 29, 2018 announcement, to reset their passwords,\" Wendell said.\r\n\"As a result, passwords previously used for MyFitnessPal at the time of the data security issue are no\r\nlonger valid on MyFitnessPal, and we continue to encourage strong password practices including unique\r\nand complex passwords for all their accounts to enable users to further protect themselves.\"\r\nArtsy 1,070,000 accounts for 0.0289 BTC ($104) total\r\n184MB of data taken April 2018. Each account record contains an email address, name, IP addresses,\r\nlocation, and SHA512-hashed password with salt. This security breach has not been previously publicly\r\ndisclosed. Artsy, located in NYC, is an online home for collecting and organizing art. A spokesperson did\r\nnot respond to a request for comment.\r\nUpdate: Artsy has emailed its users to confirm its data was stolen and sold online. It is in the process of\r\ninvestigating how it happened.\r\nArmor Games 11,013,617 accounts for 0.2749 BTC ($988) total\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 4 of 7\n\n1.8GB of data taken late December 2018. Each account record contains a username, email address, SHA1-\r\nhashed password and salt, date of birth, gender, location, and other profile details. This alleged security\r\nbreach has not been previously publicly disclosed. California-based Armor Games is a portal for a ton of\r\nbrowser-based games. A spokesperson did not respond to requests for comment.\r\nBookmate 8,026,992 accounts for 0.159 BTC ($572) total\r\n1.7GB of data taken July 2018. Each account record typically contains a username, an email address,\r\nSHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged\r\nsecurity breach has not been previously publicly disclosed. British Bookmate makes book-reading apps. A\r\nspokesperson did not respond to a request for comment.\r\nCoffeeMeetsBagel 6,174,513 accounts for 0.13 BTC ($468) total\r\n673MB of data taken late 2017 and mid-2018. Each account record contains typically a full name, email\r\naddress, age, registration date, and gender. This security breach has not been previously publicly disclosed.\r\nCoffeeMeetsBagel is a dating website.\r\nJenn Takahashi, spokesperson for the CoffeeMeetsBagel, told us: \"We are not aware of a breach at this\r\ntime, but our security team is looking into this now.\" She also said the San-Francisco-based biz does not\r\nstore passwords, and uses third-party sites for authentication.\r\n\"We have engaged with our legal team and forensic security experts to identify any issues and ensure we\r\nhave the best security stance moving forward,\" Takahashi added.\r\nUpdate: CoffeeMeetsBagel has confirmed at least some user account data was stolen by a hacker who\r\nbroke into the biz's systems as recently as May 2018, as we reported.\r\n\"On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details,\r\nspecifically names and email addresses prior to May 2018,\" the company said in a statement.\r\n\"Once we became aware, we immediately launched a comprehensive investigation with the help of\r\nexperienced forensic experts. We are currently working on notifying the affected user base. The security of\r\nour users’ information is important to us, and we apologize for any inconvenience this may have caused.\"\r\nDataCamp 700,000 accounts for 0.013 BTC ($46.8) total\r\n82MB of data taken December 2018. Each account record contains an email address, bcrypt-hashed\r\npassword, location, and other profile details. This security breach has not been previously publicly\r\ndisclosed. US-based DataCamp teaches people data science and programming. A spokesperson told us they\r\nare \"looking into\" the online sale.\r\n\"We take this matter seriously and want to further verify if this is indeed the case,\" said the biz's Lode\r\nVanacken. \"We will also investigate access and audit logs to see if we can trace back any potential\r\nunauthorised access. If indeed further investigation shows this data to be valid we will communicate with\r\nyou and with the affected end-users.\"\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 5 of 7\n\nUpdate: Vanacken has told us DataCamp is resetting users' passwords after confirming its data was stolen.\r\n\"We have notified the users we believe were affected or potentially affected via email,\" he said.\r\n\"Out of an abundance of caution, we are logging out all DataCamp users who may have been affected, and,\r\nif they use a password as their authentication method, we are invalidating their passwords and prompting\r\nthem to reset their passwords.\r\n\"We continue to monitor for suspicious activity and to make enhancements to our systems to detect and\r\nprevent unauthorized access to user information.\"\r\nHauteLook 28 million accounts for 0.217 BTC ($780) total\r\n1.5GB of data taken during 2018. Each account record contains an email address, bcrypt-hashed password,\r\nand name. This alleged security breach has not been previously publicly disclosed. HauteLook is an online\r\nstore for fashion, accessories, and so on. A spokesperson for the Los Angeles-based biz did not respond to a\r\nrequest for comment.\r\nShareThis 41,028,098 accounts for 0.217 BTC ($780) total\r\n2.7GB of data taken early July 2018. Each account record contains a name, username, email address, DES-hashed password, gender, date of birth, and other profile info. This security breach has not been previously\r\npublicly disclosed. Palo Alto-based ShareThis makes a widget for sharing links to stuff with friends. A\r\nspokesperson did not respond to a request for comment.\r\nUpdate: ShareThis has written to its users, alerting them that the site was hacked, likely in July 2018, and\r\nthat email addresses, password hashes, and some dates-of-birth was stolen and put up for sale online.\r\nWhitepages 17,775,679 accounts for 0.434 BTC ($1560) total\r\n2.9GB of data taken 2016. Each account record contains an email address, SHA1- or bcrypt-hashed\r\npassword, and first and last name. This alleged security breach has not been previously publicly disclosed.\r\nWhitepages is a Seattle-based online telephone and address directory. A spokesperson did not respond to a\r\nrequest for comment.\r\nThe seller told The Register they have as many as 20 databases to dump online, while keeping some others back\r\nfor private use, and that they have swiped roughly a billion accounts from servers to date since they started\r\nhacking in 2012.\r\nTheir aim is to make \"life easier\" for hackers, by selling fellow miscreants usernames and password hashes to\r\nbreak into other accounts, as well as make some money on the side, and highlight to netizens that they need to\r\ntake security seriously – such as using two-factor authentication to protect against password theft. The thief also\r\nwanted to settle a score with a co-conspirator, by selling a large amount of private data online.\r\nThe hacker previously kept stolen databases private, giving them only to those who would swear to keep the data\r\nsecret.\r\n\"I don't think I am deeply evil,\" the miscreant told us. \"I need the money. I need the leaks to be disclosed.\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 6 of 7\n\n\"Security is just an illusion. I started hacking a long time ago. I'm just a tool used by the system. We all know\r\nmeasures are taken to prevent cyber attacks, but with these upcoming dumps, I'll make hacking easier than ever.\"\r\n®\r\nUpdates below\r\nThis article was revised at 0430 UTC on Tuesday, February 12 to include confirmation from 500px that it was\r\nhacked, as we reported.\r\nAlso on Tuesday, EyeEm informed its users it had been hacked. We understand similar disclosures are due to land\r\nthis week from ShareThis and others.\r\nOn Wednesday, February 13, DataCamp informed us it is resetting its users' passwords after \"some user data was\r\nexposed by a third party who gained criminal unauthorized access to one of our systems.\"\r\nAlso on Wednesday, CoffeeMeetsBagel told us it is alerting its users to its security breach, we added a statement\r\nfrom MyFitnessPal, and 8fit admitted to its customers that it was hacked.\r\nOn Thursday, February 14, Artsy emailed its users to confirm its internal data was stolen and put up for sale, as\r\nreported. \"On February 11, 2019, we became aware that account information for some of our users was made\r\navailable on the internet,\" the biz wrote. \"We are still investigating the precise causes of the incident, and together\r\nwith our engineering team, we are working with a leading cyber forensics firm to assist us.\"\r\nOn Friday, February 15, ShareThis confirmed it was hacked, too.\r\nOn 1 March, Armor Games 'fessed up to a breach.\r\nSource: https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nhttps://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/"
	],
	"report_names": [
		"620_million_hacked_accounts_dark_web"
	],
	"threat_actors": [],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34e60d4806779a12e828d4f9fe92d385f13e844d.pdf",
		"text": "https://archive.orkl.eu/34e60d4806779a12e828d4f9fe92d385f13e844d.txt",
		"img": "https://archive.orkl.eu/34e60d4806779a12e828d4f9fe92d385f13e844d.jpg"
	}
}