Two Russian hackers reportedly responsible for the recent release of millions of usernames and passwords from social media websites Myspace, Tumblr and LinkedIn have emerged from the shadows to discuss why the data dumps have suddenly appeared for sale on the dark web.
The pair, who are using the pseudonyms Tessa88 and Peace_of_Mind online, were reportedly once part of a hacking team that has since disbanded and fallen into disarray. Both assert there are plenty more releases on the horizon – with Facebook-owned Instagram being touted as the next victim.
In an interview with Wired, Peace_of_Mind – who also goes by the shorter title of Peace – revealed the biggest hacks were the work of a team of Russians and were initially only shared within its inner circle. However, this didn't last once money became involved.
"[After] long enough, certain individuals obtained the data and started to sell [it] in bulk ($100/100k accounts, etc.) in the public. After noticing this, I decided for myself to start making a little extra cash to start selling publicly, as well," Peace said.
When asked why the hacking team didn't want to sell the stolen datasets at the time they were compromised – as most of the information is from 2012/13 – Peace said the credentials lose value if they are suddenly in the wild. "We had our own use for it and other buyers did as well," he added.
This use, according to the hacker, was mainly for spamming however they noted that password reuse across platforms means the datasets can be extremely valuable. "Many simply don't care to use different passwords which allows you to compile lists of Netflix, PayPal, Amazon, etc. to sell in bulk," Peace told Wired.
While many security experts advise unique passwords for every online account, it is increasingly clear general internet users are not listening to the warnings – until it's too late. For the Russian hackers, the spree has now released more than 160 million accounts from LinkedIn, 100 million from social platform VK.com and a massive 360 million from Myspace.
Most recently, Twitter was also implicated in a release of information however this was not from a hack on its core systems and instead the result of malware infections and weak password security. According to Peace, there is more on the way. About another one billion users or so, again in the same timeframe: 2012-2013," he or she claimed. "[From] social media and email services, mainly."
The other culprit responsible for the headline-grabbing leaks of late is called Tessa88 who, according to technology website Vocativ, is self-described as a Russian female in some dark web forums. Tessa88 has claimed to have a number of high-valuable databases, including from Facebook, Instagram and an eastern European social network site called OK.ru. "I have the whole world," Tessa88 told Vocativ. "I hacked everyone."
Tessa88 has been in contact with breach-notification website LeakedSource, which has been obtaining and uploading the data dumps to let users check if they have been impacted in the breaches. It remains unknown if Tessa88 and Peace are responsible for the hacks themselves or if they are simply selling the obtained information.