AlphaBay, one of the largest underground marketplaces hosted on the Dark Web, has been forced to pay a hacker who successfully exploited vulnerabilities in the website's internal mailing system to hijack over 200,000 private unencrypted messages.
The hacker, using the pseudonym Cipher0007, made an announcement on Reddit on 22 January, claiming to have used two "high-risk bugs" to steal troves of private messages belonging to buyers and sellers on the website, who traditionally deal in drugs and other illicit substances.
Such messages, which are not encrypted by default, could expose identities, illegal trades and vendor inquiries of AlphaBay users. The attacker posted a series of screenshots to prove he or she had successfully compromised the data.
"We have been made aware of the bug that allowed an outsider to view marketplace private messages and we believe that the community has the right to be made aware of what information was obtained," read a statement from the AlphaBay admins.
"The attacker was paid for his findings, and agreed to tell us the methods used to extract such information," it continued, adding: "Our developers immediately closed the loophole in order to protect the security of our users."
The hacker was reportedly able to obtain a list of user IDs and usernames, alongside a total of 218,000 personal messages sent within the last 30 days. Inboxes that did not receive a message in the last 30 days were not affected, the admins maintained.
The statement also said that forum messages, order data and Bitcoin addresses were all safe. "No action is required from anyone, but we remind everyone to always encrypt sensitive information such as addresses, Bitcoin addresses [and] tracking numbers," it added.
In response to a query from security researcher Chris Monteiro, the Dark Web marketplace administrators also claimed the bugs were only exploited by one single hacker. "It wasn't exploited until four days ago," a statement read, adding: "The attacker then started dumping messages, and once he announced it, we paid him and immediately closed the loop."
Reddit users were left frustrated. One commenter wrote: "Stop accepting less than you deserve. Don't gamble on markets which can't even do the simple things right. If you are an intelligent darknet user who always practises good OpSec then don't let a s****y market be your weak-spot."
According to technology website Motherboard, AlphaBay faced a similar incident in April last year when user messages were left exposed due to a flaw in a newly-enacted website feature that could allegedly allow anyone to obtain other members' private correspondence.