“I’ve made enough money now” ShinyHunters said as stolen data is offered for free in a commercial dark web hacker forum.
In just the first two weeks of May 2020, a hacker, known only as ShinyHunters, offered an astonishing 200 million stolen data records for sale on the dark web. Not repurposed data from old breaches, but fresh to the market and, therefore, very valuable. The surprising thing is that, until then, nobody had even heard of ShinyHunters.
That has changed in the weeks since. By the start of July 2020, ShinyHunters had become a well-known data breach broker with an expanding number of breaches under their belt.
How much money has ShinyHunters already made?
Although it is not known precisely how much money ShinyHunters has made from this hacking spree, some of the breached databases were being offered in the dark web forum for as much as $100,000 (£77,150) each. As I say, fresh to market data can be pretty valuable despite, as has been the case in many of these databases, most passwords were encrypted and hashed rather than being plaintext.
Some reports suggest the average going rate for a ShinyHunters database dump was between $1,500 (£1,150) and $2,500 (£770.)
Here’s the thing though, freshness doesn’t last long when it comes to stolen data. So, maybe it’s not too surprising that these records would be given away once they had gone past their “best before” date.
What is a surprise is that ShinyHunters has decided to give away a total of 386 million records that encompass a claimed 18 data breaches, including nine that had not been previously disclosed, according to a Bleeping Computer report which details the full breach listings.
The data on offer here is far from worthless though, including real names, email and home addresses, phone numbers, dates of birth and even, ShinyHunters has claimed, some valid credit card numbers.
“I’ve made enough money now” says hacker
Which leaves the question of why give it all away to members of the dark web hacker forum now? A question that Bleeping Computer asked of the hacker directly. The response? “I just thought: I’ve made enough money now, so I leaked for everyone’s benefit.”
ShinyHunters even admitted to upsetting those cybercriminals who had paid resellers for the data in the days prior, but added: “I don’t care.”
If you do care, dear reader, then follow the link to that Bleeping Computer report, and if you have an account at any of the listed services, change your password now if you haven’t already been notified of the breach and asked to do so. Where available, activate the option for two-factor authentication as an extra layer of access protection.
You can also check for breaches that might include your data at the excellent, and free to use, Have I Been Pwned service.