Tenable Response to: Hacker selling 617 million online account details for less than $20,000 in Bitcoin
February 2019 by Gavin Millard, VP of Intelligence, Tenable
Tenable’s response to the story of a hacker selling 617 million online account details, that were obtained from 16 different websites, for less than $20,000 in Bitcoin (BTC) on the dark web.
Response from Gavin Millard, VP of Intelligence, Tenable :
"There appears to be a disconcerting trend developing of combining historic data breaches and packaging them up for sale on the dark web, as was evidenced earlier this year with 773 million records known as Collection #1 published. What is notable about this recent set of data is that there are several breaches from within the last year, some of which have already been publicly reported.
"As credential stuffing attacks are becoming increasingly more common, repositories like this will be invaluable. For instance, dating app and website OKCupid [whose parent company is Match Group Inc] has been dealing with reports from users of their accounts being hacked. The company has denied the claim that their website was compromised making it very likely that the account takeovers users are experiencing are the result of credential stuffing attacks.
"Some companies have taken some novel steps to try to thwart credential stuffing attacks against their users by obtaining the breached data themselves and cross referencing it against their own database. They can then warn users of password reuse or issue a password reset to ensure their accounts are protected from credential stuffing. Individuals can also take such precautions by visiting sites, such as ‘ https://haveibeenpwned.com/ ’ to determine if they’ve an account that has been compromised.
"Of course, the best way to avoid credential stuffing attacks is to always create unique email and password combinations for every account. Doing this manually is untenable hence good practice is to always use a password manager that can create and store complex passwords, and even alert users to compromised passwords found in data breaches."