On the dark web forum Hell, a hacker has apparently sold a wad of passwords for just over $8,000.
Quite literally, every day someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
That's why we're launching this new format: Another Day, Another Hack. We'll do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, and as new data breaches fight for your attention, real people are still getting fucked over somewhere, and should know about it.
A hacker on the dark web forum Hell claims to have sold the email addresses and plaintext passwords of over 27 million users of dating site Mate1.com.
"Their server was compromised and the MySQL database was dumped," the hacker, who asked to remain anonymous, told Motherboard. "I had shell/command access to their server."
Motherboard obtained a relatively small sample of the email addresses and passwords. Out of 500 addresses, 498 were linked to accounts on Mate1.com. According to its website, Mate1 has over 36.5 million users.
In order to create an account on the site, users are not required to click a verification link in their email, so there is every chance that some of the email addresses may have been signed up to the service by people who don't actually own them. (This was also the case on extra-martial affairs site Ashley Madison.) There were also some email addresses in the sample that contained spelling errors, such as "gmaile" instead of "gmail," indicating that they might not be functional. The vast majority of the sample used Gmail accounts, however.
The hacker claimed to have originally obtained 40 million accounts, but said they had "pruned out the bot logins."
"They all had a common password pattern," they said.
On Hell the asking price for the database was 20 bitcoin, or around $8,700. It is unclear if this is how much the data was actually sold for.
On Monday, this reporter clicked the "forgotten password" feature on Mate1's login page. The full, plaintext password was then emailed, further corroborating that the site does indeed store passwords without any hashing.
Mate1 did not respond to multiple requests for comment from Motherboard made over the past week.
The lesson: The threat to victims here isn't necessarily just access to their dating account (if they did indeed sign up for the service in the first place). It's that some victims may have used the same password for Mate1 as their other accounts, such as email, Amazon or anything else. If that's the case, anyone in possession of the Mate1 database could then try the leaked passwords against more valuable accounts. Judging by the high number of credentials that the hacker claims to have sold, it would not be surprising if a chunk of them will lead to the compromise of other accounts elsewhere.
Another day, another hack.
Illustration by Che Saitta-Zelterman