On May 5, the creator of the famed “Have I Been Pwned?” breach alert system, Troy Hunt, announced that he loaded “over 1 billion breached accounts into HIBP.” At the date of his blog post, HIBP hosted 2.7 billion breached accounts from numerous breaches. “There’s a lot more there now,” he explained, referring to a massive number of breached accounts—currently for sale as anti-public username lists.
On Hansa marketplace, some of the major vendors—DoubleFlag, for instance—sat on the back-burner as two relatively unknown vendors made headlines. “Wildfruit2” and “DBworld.” Both vendors listed nearly identical products on the darknet marketplace known as Hansa. One, Dbworld, advertises 457,962,538 username and cleartext passwords from users that shared passwords across multiple websites, often those with details already compromised in previous database attacks.
The HaveIbeenpwned creator explained the process of credential stuffing, a technique used with these anti-public listings:
“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.”
Dbworld listed their 457,962,538 accounts for $249, as of May 10. The entity, while less established than DoubleFlag or TheDarkOverlord, sold a surprising number of accounts. Accounts from all sorts of industries. And although anti-public listings involve informant from a random conglomeration of hacked databases, DBworld’s collection potentially points out the specific one(s). Unfortunately, that matters very little; the “Ultimate Leak Pack | 4,074,055,658 records | 1081 databases | Last updated: 10th May” contains many too many records to read.
The listing includes a list of beaches databases that, indeed, took several minutes to read through. Most are recognizable add breaches that DeepDotWeb reported in the past. The Bitcoin forums or the uTorrent forum breach, for example.
The second vendor, wildfruit2, listed 457,962,538 account combo lists on the same darknet market—for $230. Only Minimally less. Both vendors uploaded and sold the same product and it only took someone a few hours to buy data from one of the hackers. The buyer then, to the dismay of many and the delight or few, uploaded 17 gigabytes of uncompressed text data to a publically accessible website. There, the data can easily be confirmed beyond the confirmations provided by Hunt. (Not that there is any need to do so.)
HackRead, not unknown for their keen eye when reporting darknet data breaches, pointed out that “the nightmare doesn’t end [there].” Wildfruit2 is also actively selling 800 million Exploit.in accounts in the form of a cleartext username + password. combination. This brings Wildfruit2’s total accounts to 1,257,962,538.