Three days after news broke out about 18 million records from Ixigo being stolen and put up for sale by a hacker on the dark web, the travel booking site said it is hasn’t found any evidence of the breach yet.
Ixigo's data was part of 127 million compromised records from eight websites. The same hacker is believed to have put another 93 million users' data for sale on Monday.
“Despite not having any confirmation of the security breach, we have enforced higher security measures such as two-factor authentication and reset all our user passwords and authentication tokens,” said Aloke Bajpai, chief executive and co-founder of Ixigo. The company is still investigating the alleged security breach.
Ixigo, which is backed by Fosun and Sequoia Capital, said it does not store any financial information of users or passwords of third party logins.
TechCrunch has reported that, apart from Ixigo, live video streaming site YouNow (40 million records), home improvement startup Houzz (57 million), cryptocurrency site Get.tt (1.8 million), Coinmama (450,000), gaming site Roll20 (4 million), multiplayer online game Stronghold Kingdoms (5 million) and pet care delivery service PetFlow (1 million) have faced data breaches. The records from these companies were on sale for about USD 14,500 in bitcoin. Of the eight companies, only Houzz has disclosed the data breach.
This started with a report on February 11 by The Register that 620 million accounts stolen last year from 16 hacked websites were put up on sale by the hacker for less than USD 20,000 in bitcoin on dark web marketplace Dream Marker cyber-souk.
Theses websites included Dubsmash (162 million records), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).
While MyFitnessPal and Animoto disclosed data breaches last year, companies including Dubsmash and CoffeeMeetsBagel acknowledged earlier this month that approximately 6 million users each were compromised.
The Register said these records consisted mainly account holder names, email addresses and hashed or one-way encrypted passwords that needed to be cracked before they can be used. There were other bits of information, depending on the site, such as location, personal details and social media authentication tokens, the report said, but there appeared to be no payment or bank card details in the sales listings.
Ariel Ainhoren, research team leader of cyber threat intelligence at Israeli security firm IntSights, told TechCrunch, “We’re still analyzing it, but it could have been that he used some kind of vulnerability that surfaced around that time and wasn’t patched by these companies or a totally new unknown vulnerability. As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it.”
According to the hacker’s listings, TechCrunch said, Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble.