A reddit user named Skillzythehacker has claimed to have compromised thousands of accounts on Dream Market, though market administrators said no Bitcoin were at risk. The attacker said of all the compromised accounts, none were using 2FA, a supposed panacea for login security issues.
Dream market admin wombat2combat released the following message:
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The user /u/Skillzythehacker sent the mods of /r/Darknetmarkets a list of over 50 login credentials [names and passwords] for dream market accounts. After looking at them more closely we can verifiy that they are working and the accounts are pretty old because their user IDs are between about 100k and 500k while the latest ones [when registering a new account] are higher than 700k. It is therefore very likely that these login credentials were obtained through a database breach/hack. There were already made some changes to the current dream market warnings and this issue will be added to them too. - -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJYqiTvAAoJEMPzj/CHV15DtLUP/jQ9hpsuqUg/QMcoTN35rWgI QVIbU2rK1APMnf3QL1WAGnqcyv3u3ymh3gV2CC9HkQDOBIbgkPOk77bjMMoV3G1/ rvDdSTsNHE4pv878k/IOT6mgBuQN3h2YEPsTbuT2XVzZoI2/PX3l+Zs/TEUTNnku KIQSkZNWPQpIr8DKPXDmGW3Zulpfgv8+1b1m2NrThZe4hTQ9LObmE9gboeI6keRs AVkrfG2ijB40ADjYWtIyj4AvxdvsGotL2p/QnrRfaDX8dfJWbpEeK/KEg0zwdVqe VnTWsRoHCCb65IJ3It8YFIKhmDZRH27ulT4nCtyPu8grRRhQn+pZYP8wj0VBsOsa raHNko4cJBo4y/BQjEfYHWjKO485w+RF1NRNfDuH8sj86zV2NpERtGCD9HZJ3hdk 07EN4/tuJbRlhImIJCx6I+Q7YCDtc2eKhRqy5IX2qwEspZvhUiDELVSvwquW2Hoz OYmvkrMgao0Tdk4kaefk6VOXi+ClxK6VNYAvHWN//mylwOk4Av7Z4Kg5I33N1tfS QY4bh3e7JwkQ/LHJghhRSeeTM5AAzFOPluLeXxx6zQf74f7fQYDfRJd/LRq2yp7H MDV91mS/ID5814UIC0aNXTBfUzn7+bxJus0yJKTjGNiZBpE2SuoKsWARX03En9sn pMtjAJ+DD5BZBcC+oiu5 =b1Lf - -----END PGP SIGNATURE-----
The attacker is said to have provided proof he could log into various accounts, leading users to speculate that user info was stored with weak or no encryption. (archived)