386 Million User Records from 18 Companies Leaked for Free

Posted on July 28, 2020 by Eugene Bekker | Director, Technology & Security in Breach & Scam Resources, Identity & Privacy, Personal

hacker selling personal information

What Happened?

It was just recently confirmed that starting on July 21, 2020, multiple databases containing the stolen information of over 386 million consumers were posted online in a hacker forum — all for free. The exposed information was stolen from eighteen companies, including Wattpad (270 million user records), Mathway.com (25.8 million user records), Promo.com (22 million user records), and Drizly.com (2.4 million user records) through past data breaches. Many of the 18 companies involved in this data leak have announced security incidents had occurred in 2020, but several remain unknown or undisclosed. The Personally Identifiable Information (PII) in each database varies, but typically contain names, user names, email addresses, and hashed passwords. Hashed passwords can be deciphered, further exposing a breach victim to account takeover and credential stuffing attacks.

Should I Be Worried?

The information stolen in data breaches is normally sold on the dark web for a profit and very rarely shared for free. The posting of these free databases was done for “everyone’s benefit” according to the hacker, which is bad news for personal identities. Although the PII in each database varies, a cybercriminal can easily compare the records in different databases to complete a profile or establish a fake identity with pieces of real information, known as synthetic identity theft. These sensitive personal records are also used to further conduct identity fraud through credential stuffing and phishing attacks. It is critical to safeguard your information by updating your passwords — making sure you do not use the same password on multiple accounts — and turning on two-factor authentication to further protect yourself from account takeover attacks.

3 Tips to Protect Your Personal Information

  1. Use two-factor authentication whenever possible. Requiring an additional level of security on all accounts and mobile apps can often thwart hackers from gaining access.
  2. Invest in a password manager. Having one location to safeguard your hard-to-crack passwords alleviates the pressure to remember all logins and empowers you to update site passwords frequently.
  3. Safeguard your device with Mobile ProtectionInvest in a mobile program that alerts you of rogue applications, spyware, and unsecured Wi-Fi connections for added security.