Mike Cane brought my attention to a story over on The Register:
Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove’s seller.
For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:
Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).
Bookmate 8,026,992 accounts for 0.159 BTC ($572) total
1.7GB of data taken July 2018. Each account record typically contains a username, an email address, SHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged security breach has not been previously publicly disclosed. British Bookmate makes book-reading apps. A spokesperson did not respond to a request for comment.
Bookmate is one of the smaller ebook startups, and its main focus is a subscription reading platform.
While this report is entirely plausible, I have seen no announcement of a breach, so we have no way to know for sure that this actually happened. And since I know of at least one “breach” that turned out to be a nothing-burger, I decline to draw a conclusion.
If you have an active account with Bookmate, ask them about this.