A New Massive 2.2 Million Password Data Dump is Shared on the Dark Web

Last updated November 20, 2019
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

According to ArsTechnica, there’s a fresh data dump that has been spotted on the dark web, and which has been compiled from recent breaches. The dump contains 2.2 million passwords and personal information records belonging to users of GateHub and EpicBot. The first one is a cryptocurrency wallet service, while the second one is a bot provider for the RuneScape game.

Starting with the GateHub, the leak includes email addresses, two-factor authentication keys, mnemonic phrases, wallet hashes, usernames, and IP addresses. GateHub has previously admitted the data breach, and HaveIBeenPwned warned people about this since a while ago. However, the cryptocurrency platform had clarified that wallet hashes weren’t compromised, something that is not valid as we can see now. Moreover, GateHub mentioned that only 18473 users had been affected by the security incident, but we are now discovering that the actual number is a jaw-dropping 1.4 million users.

As for the EpicBot leak, the exposure concerns 800k users, their email addresses, usernames, IP addresses, and bcrypt-hashed passwords. Bcrypt is very hard to crack, so these passwords are safe for now, even considering that they have fallen into hundreds, if not thousands of malicious hands. The question is whether the platform has implemented the hashing function correctly or not. If not, then cracking it could be possible by using conventional computing power.

Something that concerns users from both websites is the risk of falling victim to credential stuffing attacks, so if you have used either platform, change your credentials universally. If you receive unsolicited email messages that make weird requests or bold claims about you, don't fall for it. Whatever happens from now on with your account, if you want to manage cryptocurrency wallets safely and securely, you should finally consider getting a Yubikey.

Given a large number of people who have been exposed by this incident, the two platforms should now be thoroughly investigated by personal data protection agencies and punished accordingly. As for the inaccuracy of the initial reports, these can be attributed to incomplete internal investigations. ArsTechnica points out that the platform should have done better four months after the incident occurred and 25 days after the posting of the dumps, but we will stay clear from speculation about cover-up or playing-down intentions. Companies who spill data should simply face the business and legal consequences of their inadequacy, and users should do everything in their power to stay safe within any given context.

Are you among the 2.2 million users who have been exposed? Leave your comments down below, or join the discussion on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: