Hacked BitcoinTalk.org User Data Goes Up For Sale On Dark Web
An opportunist using the name “DoubleFlag” has put the recently hacked BitcoinTalk.org’s database for sale on the dark web, according to Hackread. The same seller has also offered 68 million hacked hashed passwords of Dropbox users.
In May 2015, BitcoinTalk was the victim of a social engineering attack after an unknown hacker targeted an employee of NFOrce, BitcoinTalk’s ISP. In a revelation on Reddit at the time, forum operator and administrator Theymos hinted that password hashes, private messages, emails and other user details could be compromised.
User Data Exposed
As it turns out, the data dump containing stolen Bitcointalk users’ information includes usernames, email addresses, passwords, users’ birthdays, secret questions and their corresponding hashed secret answers and other internal data.
While the hack occurred in May 2015, the stolen data was leaked only a couple of days agofrom unknown sources.
“DoubleFlag” grabbed the data before anyone else could. The leaked data was only accessible to data breaches notification sites like Hacked-DB and LeakedSource.
BitcoinTalk Database For 1 BTC
BitcoinTalk’s database is going for 1 BTC ($614.67 USD). The file contains 514,408 accounts, including email address, personal text number, date of birth, username, gender, website title, password and location. The passwords are encrypted. There are 469,540 passwords encrypted with the SHA-256 algorithm, plus 44,868 passwords encrypted with the SMF password encryption.
Notably, the remaining 91% of user passwords were hashed with “sha256crypt,” a method of password storage that LeakedSource deemed as “far superior to nearly every website we’ve seen thus far.” That’s high praise, coming from a resource that reveals details of data breaches frequently, in a time where mega-breaches of hundreds of millions of users are commonplace.
LeakedSource was able to crack 30,389 passwords in total.
Seller Shares Sample Data
The dark web seller also shared sample data of more than 600 accounts with Hackread from the database:
While the leaked passwords are encrypted, decrypting them is not expected to be difficult.
Hackers stole and sold 427 Million MySpace passwords earlier this year on the same dark web marketplace. In May 2016, 33 million Twitter and 117 million LinkedIn login credentials were listed on a dark web marketplace for sale.