More than 164 million user records stolen from almost a dozen companies have been put up for sale on the dark web in recent days. The data trove is being peddled by a cybercriminal collective going by the name Shiny Hunters for a combined asking price of US$23,100.
The cache includes 91 million user records stolen from Tokopedia, Indonesia’s largest online store, and offered for sale in early May. In a later development, multiple cyber-threat intelligence companies told BleepingComputer that Shiny Hunters have started uploading records from new data breaches.
The new records include data pilfered from home meal kit delivery service HomeChef, photo print service Chatbooks, and college-oriented news website chronicle.com. The data runs the gamut and includes names, phone numbers, email addresses, password hashes, social media access tokens and a range of Personally Identifiable Information. The hacker group did not discriminate, and the full list comprises data from 11 companies based in various parts of the world, notably Asia and the United States:
- Tokopedia, 91 million records for US$5,000
- Homechef, 8 million records for US$2,500
- Bhinneka, 2 million records for US$1,200
- Minted, 5 million records for US$2,500
- Styleshare, 6 million records for US$2,700
- Ggumim, 2 million records for US$1,300
- Mindful, 2 million records for US$1,300
- StarTribune, 1 million records for US$1,100
- Chatbooks, 15 million records for US$3,500
- The Chronicle of Higher Education, 3 million records for US$1,500
- Zoosk, 30 million records for US$500
Chatbooks, one of the victims, has already notified its users about the data breach; the other affected companies should follow suit soon, since they have been notified about the breaches to their systems.
RELATED READING: Cybercrime black markets: Dark web services and their prices
If you are a user of any of these services, you should immediately change your passwords. To add an extra layer of security, consider turning on two-factor authentication if the websites offer such an option. Perhaps auditing the security of your other accounts is in order as well, especially if you tend to recycle your passwords.
Meanwhile, Shiny Hunters have also claimed responsibility for allegedly hacking Microsoft’s GitHub accounts, threatening to release the reportedly stolen private projects. The Redmond giant has yet to confirm or deny if their GitHub account has been breached, although an unnamed Microsoft employee did actually confirm that the data was genuine.