Artsy the art selling platform has been hacked along with 620 million accounts stolen from 16 hacked websites. The information is currently for sale on the dark web, a seller has stated.
Details of the stolen data has been revealed by 15 other hacked websites, also on sale from yesterday on the dark web, according to the Data Trove seller. Account databases purchased from the Dream Market cyber-souk, located in the Tor network have been advertised.
The asking price for the data is $20,000 in Bitcoin, to purchase the illegally stolen accounts which include Usernames, email addresses, and passwords. Although the passwords are hashed, or one-way encrypted, and must be cracked before they can be used.
The Accounts compromised include: Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).
Artsy sent a letter to all users which is how Artlyst was alerted. See letter in full below.
Dear Artsy Users,
We are writing to inform you about a data security incident that may have impacted your Artsy account data. We have no evidence that commercial or financial information was involved, and to date we have not received reports from Artsy users of actual or attempted fraud as a result of this incident. However, as your data security is of paramount importance to us, we wanted to bring this to your attention immediately, and let you know that we are investigating this fully and taking steps to prevent this type of incident from happening in the future.
On February 11, 2019, we became aware that account information for some of our users was made available on the internet. We are still investigating the precise causes of the incident, and together with our engineering team, we are working with a leading cyber forensics firm to assist us.
Although the investigation is still ongoing, we are taking steps to contain this incident and to prevent this type of incident from happening in the future.
What Information Was Involved:
While the investigation is ongoing, we believe that the compromised information includes some users’ first and last names, emails, IP addresses, and password hashes. Please note that Artsy does not store passwords, but only a password hash, which is a type of password protection and is considered industry best practice. And to reiterate, we have no evidence that commercial or financial information was involved, and to date we have not received reports from Artsy users of actual or attempted fraud as a result of this incident.
What We Are Doing:
We are continuing to work both with our internal technical teams and industry experts, including a leading computer forensics firm to gain a comprehensive understanding of what happened. We are also assessing existing security measures to protect the integrity of our systems and will continue to work to enhance these protections and safeguards. Our existing security measures include: industry-standard encryption and security protocols for product communication; regular audit of systems for known vulnerabilities; and delegation of the management of sensitive payment information exclusively to best-in-class and externally audited providers.
What Can You Do:
While your actual password is not compromised (only a password hash), out of an over-abundance of caution, we recommend changing your Artsy password today. We also recommend following best practices of regularly changing your Artsy password, and not using simple easy-to-guess passwords. Furthermore you should be using unique passwords for each website, but if you use the same or similar passwords on other online services, we recommend you change those as well.
As the world’s leading online art market platform, the trust of our users and art world partners is critically important to us. We recognize that data security and the protection of your information is of paramount importance to maintain that trust. In addition to addressing this particular incident, we are committed to continuing to improve by putting in place more and better measures that keep your data secure and private.
For More Information: If you have any questions or concerns, please reach out to us at firstname.lastname@example.org.
Chief Technology Officer, Artsy