Cybercriminals selling data breach victims’ stolen data on the dark web, Which? reveals

Fraudsters are advertising valuable personal data about consumers, with thousands of Tesco Clubcard accounts among vast databases of stolen details offered for a few pounds a time on the dark web, a Which? investigation has revealed.

The consumer champion found that stolen accounts and data are being advertised for sale cheaply, with customers of Tesco, Deliveroo and McDonald’s among those having their personal information marketed by fraudsters. This highlights the dangerous knock-on effects of being involved in a data breach, or companies not prioritising security highly enough.

Which? worked with security specialists Red Maple Technologies in October 2020 to investigate the kind of personal data that is advertised for sale on both the open internet and the dark web – a hidden part of the web that can only be accessed using special tools.

The data found was a treasure trove for fraudsters – including information that could be used to clone identities and passwords to online services including food delivery platforms.

One seller claimed to have data that included ‘Tesco accounts with usernames, passwords and loyalty card balances’. The seller was offering the accounts in 2,000 blocks and based on Which?’s calculations, the individual accounts were being sold for around 42p. They claimed to have hundreds of thousands of Clubcard accounts for sale in total, although there was no way of Which? verifying this as it did not purchase the stolen data.

This follows Tesco confirming in March last year that a database of usernames and passwords stolen from other websites had been used to try to access Clubcard accounts and customer vouchers. Tesco said at the time that no financial data was accessed and its systems hadn’t been hacked. It claimed to have blocked affected accounts as a security measure. Yet when Which? searched through dark web marketplaces for compromised accounts, it found examples that included data claiming to be from Tesco.

While the Clubcard accounts being advertised for sale might not work if they have been blocked, there is still value to the cybercriminals in stolen email addresses, passwords and other data. This is because they can potentially use the data to attack other services where consumers have reused the same credentials. They could also use the data to mount phishing attacks on Tesco customers. Again, Which? did not try this so cannot independently verify the rogue seller’s claims.

Researchers also found Deliveroo accounts being advertised for sale on dark web markets for just £4.30. Consumers have been turning to the food delivery app in increasing numbers during the Covid-19 crisis. However those who have had their details stolen and sold online could find that large food and alcohol orders are racked up on their accounts, potentially costing hundreds of pounds to the consumer. Deliveroo still does not offer two-factor authentication – an important additional security measure – on accounts to help customers protect themselves.

Which? also found “My McDonald’s” accounts marketed for sale on the dark web, along with instructions on how to use them with the mobile app. The instructions advise someone to go to a McDonald’s restaurant, make their order through the compromised account, and then pick it up. The stolen account can cost just a few pounds, but could result in an order of well over £30.

The personal data of millions of guests who stayed at MGM Resorts hotels was breached in the summer of 2019. A database of information was posted on a hacking forum in February 2020, and in October of that year Which? found a seller offering data from this breach. This included 10.6 million guest records, including ‘email and physical addresses, names, phone numbers and dates of birth’ and was available on Dark Market, a dark-web marketplace.

The information was being advertised for sale at £18.30 per pack and could potentially be used for “spear-phishing” attacks, where hackers might send emails pretending to be from MGM hotels to previous guests in order to scam them under the guise of the company.

Separately, Which? came across one seller that claimed to ‘currently… have about 200 leaked databases’. While another seller was marketing 239 dumps of data, said to include details from many well-known organisations that have previously had data incidents, including accorhotels.com, dominos.com and marriott.com.

Which? wants to see companies take more robust action to prevent data breaches happening in the first place, and strongly consider adding security protections such as two-factor authentication, so that this information has less chance of making its way into the hands of cybercriminals. They must also help any customers affected by a data breach.

The Information Commissioner’s Office must also be prepared to issue meaningful fines. Although it was understandable that it reduced fines for British Airways and Marriott amid the pandemic, it should not shy away from setting an example by sanctioning companies heavily when they fail to protect personal data and break data protection law.

The consumer champion also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection legislation. This would mean consumers could get redress, such as financial compensation, without having to actively opt in to a group case or bring the case individually themselves.

Kate Bevan, Which? Computing editor, said:

“Our research has found a treasure trove of stolen data being traded by criminals on the dark web, highlighting the danger of companies acting carelessly with their customers’ sensitive personal information.

“The ICO must be prepared to issue heavy fines against companies that leave customers’ personal data exposed to cybercriminals and breach data protection law, so that they are incentivised to prevent breaches.

“Which? is also calling for consumers to have an easier route to redress when they suffer from data breaches. The government must allow for an opt-out collective redress regime which would mean that affected victims would be automatically included in the action and be represented by a body bringing the claim on behalf of those affected.”

Which? advice to consumers on protecting their data

  • Passwords – Always set strong passwords for your accounts and don’t use the same ones across different accounts.

  • Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager. Additionally, consumers can check if their email has been included in a data breach using https://haveibeenpwned.com/.

  • Two-factor authentication (2FA) – Wherever possible turn on 2FA to increase security, particularly if your account holds your financial information. Don’t use SMS but use an authenticator app or even a hardware token if possible.

  • Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.

  • Guest checkout – Similarly to the above, just check out as a guest if you aren’t going to use the service regularly. Only create an account if you really need to.

Notes to editors

  • Which? worked with security specialists Red Maple Technologies, in October 2020, to investigate the kind of personal data which is available for sale on the dark web.

  • Which? has no way of confirming the authenticity of the listings without actually buying the data, which it did not do. However, the fact that there is a correlation between some of the dumps supposedly on offer and well-known data breaches suggests some authenticity.

  • While breached or stolen data does end up on the dark web, a lot is available on the open internet or public forums, available for anyone with the knowledge to access.

  • The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.

  • Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.

Additional findings

On one dark web marketplace, Which? found 7.9GB of data stolen in July 2018 from Houzz, a home design website, advertised for sale. The seller was touting the names, email addresses and passwords of 57 million Houzz users for just £778.

Rights of reply

Tesco

Tesco declined to comment after Which? approached the supermarket.

Deliveroo Spokesperson:

“Deliveroo takes online security extremely seriously and is constantly working to help protect customers against unauthorised logins by cyber criminals.

“We have strict and robust anti-fraud measures in place to combat fraudsters and to track patterns of criminal activity and to block fraudsters. We also partner with anti-fraud companies to address misuse of card information and we regularly remind customers to use new, strong, unique passwords to protect their Deliveroo accounts.

“As a business, we are committed to tackling illegal activity and developing new and market leading innovations to protect our consumers against criminal hackers.”

A McDonald’s spokesperson said: “Unfortunately unwanted transactions do occur due to customers’ details being compromised by other websites, which is why we regularly add additional layers of fraud protection and security to our app. These include device identification and additional fraud detection software, and we recommend customers use a unique password for their account. We also have a number of measures in place to mitigate any breaches, such as Bot Protection and we remain confident that we have never had a breach of our systems.”

MGM Resorts said: “MGM Resorts has addressed the incident reported in 2019. We continually seek to strengthen and enhance our security measures to protect guest data.”

Houzz

Which? contacted Houzz but it had not replied by the time of publication.

Press Release