Skip to main content
Dashlane Logo

841 Million User Records for Sale on the Dark Web

Originally published:|Last updated:|Dashlane

In the last few weeks, an unknown hacker has put 841 million user records up for sale on the dark web. The user records aren't from a single source—they comprise data from 30 different companies and include a wide range of personal information. So far, no financial data has been reported stolen.

According to The Register, which first reported the story, the seller has stolen “roughly a billion accounts from servers to date since they started hacking in 2012.” Why? The seller hopes to make money, but also hopes to make “life easier” for hackers by selling usernames and password hashes to help them break into other accounts. Ironically, the seller also highlighted the importance of people taking security more seriously, citing two-factor authentication as a good way to protect against password theft.

Want to make life harder for scammers?

Check out our free username generator and random password generator tools.

Think you have a strong password? Use our password strength tester tool to put it to the test!

What personal data is for sale on the dark web, by company

According to The Register and Tech Crunch—which followed up the original story with additional information—user data from these 30 companies is being sold on the dark web for bitcoin. If you have an account with any of the following companies, please update your account password now as well as any other account passwords that are the same or similar:

500px: 14.8 million accounts

The 500px hack included the following data per account:

  • Username
  • Email address
  • MD5-, SHA512-, or bcrypt-hashed password
  • Hash salt
  • First and last name
  • Birthday (if it was provided)
  • Gender (if it was provided)
  • City (if it was provided)
  • Country (if it was provided)

8fit: 20.1 million accounts

The 8fit hack included the following data per account:

  • Email address
  • bcrypted-hashed password
  • Country
  • Country code
  • Facebook authentication token
  • Facebook profile picture
  • Name
  • Gender
  • IP address

Animoto: 25.4 million accounts

The Animoto hack included the following data per account:

  • User ID
  • SHA256-hashed password
  • Password salt
  • Email address
  • Country
  • First and last name
  • Date of birth

Armor Games: 11 million accounts

The Armor Games hack included the following data per account:

  • Username
  • Email address
  • SHA1-hashed password and salt
  • Date of birth
  • Gender
  • Location
  • Other profile details

Artsy: 1 million accounts

The Artsy hack included the following data per account:

  • Email address
  • Name
  • IP address
  • Location
  • SHA512-hashed password with salt

Bookmate: 8 million accounts

The Bookmate hack included the following data per account:

  • Username
  • Email address
  • SHA512- or bcrypt-hashed password with salt
  • Gender
  • Date of birth
  • Other profile details

ClassPass: 1.5 million accounts

The ClassPass hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

CoffeeMeetsBagel: 6.1 million accounts*

The CoffeeMeetsBagel hack included the following data per account:

  • Full name
  • Email address
  • Age
  • Registration date
  • Gender

Coinmama: 450 thousand accounts

The Coinmama hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

DataCamp: 700 thousand accounts

The DataCamp hack included the following data per account:

  • Email address
  • bcrypt-hashed password
  • Location
  • Other profile details

Dubsmash: 161.5 million accounts

The Dubsmash hack included the following data per account:

  • User ID
  • SHA256-hashed password
  • Username
  • Email address
  • Language
  • Country
  • First and last name (not included for all accounts)

EyeEm: 22.3 million accounts

The EyeEm hack included the following data per account:

  • Email address (for all but three million accounts)
  • SHA1-hashed password

Fotolog: 16 million accounts

The Fotolog hack included the following data per account:

  • Email address
  • SHA256-hashed passwords
  • Security questions and answers
  • Full names
  • Locations
  • Interests
  • Other profile details

Ge.tt: 18 million accounts

The Ge.tt hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Gfycat: 8 million accounts

The Gfycat hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

HauteLook: 28 million accounts

The HauteLook hack included the following data per account:

  • Email address
  • bcrypt-hashed password
  • Name

Houzz: 57 million accounts

The Houzz hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Ixigo: 18 million accounts

The Ixigo hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Jobandtalent, Legendas.tv, OneBip, and Storybird: 20 million accounts combined

The Jobandtalent, Legendas.tv, OneBip, and Storybird hacks included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

MyFitnessPal: 150.6 million accounts

The MyFitnessPal hack included the following data per account:

  • User ID
  • Username
  • Email address
  • SHA1-hashed password with a fixed salt for the whole table
  • IP address

MyHeritage: 92.2 million accounts

The MyHeritage hack included the following data per account:

  • Email address
  • SHA1-hashed password and salt
  • Date of account creation

PetFlow: 1 million accounts

The PetFlow hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Pizap: 60 million accounts

The Pizap hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Roll20: 4 million accounts

The Roll20 hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

ShareThis: 41 million accounts

The ShareThis hack included the following data per account:

  • Name
  • Username
  • Email address
  • DES-hashed password
  • Gender
  • Date of birth
  • Other profile details

StreetEasy: 1 million accounts

The StreetEasy hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Stronghold Kingdoms: 5 million accounts

The Stronghold Kingdoms hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Passwords hashed in different formats
  • Other account details

Whitepages: 17.7 million accounts

The Whitepages hack included the following data per account:

  • Email address
  • SHA1- or bcrypt-hashed password
  • First and last name

YouNow: 40 million accounts*

The YouNow hack included some combination of the following data:

  • Usernames
  • Email addresses
  • Names
  • Locations
  • Account creation dates
  • Other account details

*No action is required for these accounts, as they reportedly don't store passwords

Dashlane’s Dark Web Monitoring, available to all individual users on a business plan, is a simple way to alert employees when their information appears on the dark web. Here’s how it works:

  • Each employee adds up to five of their email addresses, business or personal.
  • Dashlane scans billions of accounts and passwords available in data collections on the dark web and flags any exposed accounts with a prompt to take action.
  • Employees can click on a button for the flagged credential, which will take them to the login page of that account to change their password immediately. They can use Dashlane’s Password Generator to create a strong, randomized password.
  • Dashlane will continue to scan the dark web and will send an automatic alert if any personal data is discovered.

Sign up to receive news and updates about Dashlane

Dark Web Insightsdark web monitoring

Share

FacebookXLinkedInRedditReddit
A picture of the author: Dashlane
Dashlane