Blockpass Data Breach Intelligence Report - February 2019

March 2019
In February, the Blockpass Research Team analyzed 7 data breach events, chosen either for their significant impact on consumers, or their implication on global politics. This month, the largest single data breach was in video messaging; however, overall, fitness suffered the greatest. 

February might be the shortest month of the year, but there was just enough time for hundreds of millions of personal records to be leaked from several large, primarily internet-based, companies. Only analyzing the biggest data security breaches of this month, we discovered that more than six percent of the world population was likely to have been affected by one of these leaks. Interestingly, at the height of “New Year’s resolution season,” the industry hardest hit was fitness. Two diet and exercise tracking apps, MyFitnessPal and 8fit leaked the personal data of nearly two-hundred million users. Then, on Valentine’s day itself, popular dating app Coffee Meets Bagel suffered a leak that affected more than six million individuals.

# of Events Analyzed7
# of Identities Lostapprox. 448,102,635
% of World Population6%
Industry Hardest HitFitness

This report, for the month of February, is the fourth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”

Dubsmash | Video Messaging | 161,749,950

On February 11th, The Register reported that the personal information of around 162 million Dubsmash users had been put up for sail on the dark web. Dubsmash is a popular video messaging service which enables users to create their own lip sync videos of popular music videos, movie clips, and TV shows.

The hacker had emailed the online newspaper with proof that he had a database containing these users’ unique email addresses, names, usernames, passwords, and phone numbers. The hack is being sold along with several hundred million accounts from other websites (more on this to be discussed below) for a total of $20,000 in Bitcoin. The price for the 11GB of Dubsmash data has been estimated by The Register to be around $1,976.

On February 25th, data theft watchdog haveibeenpwned announced that they had gained access to the database and had posted the records to their site. Users can enter their email addresses to see if they have been affected.


MyFitnessPal | Fitness | 143,606,147

MyFitnessPal is a mobile application which helps users to track their daily diet and exercise. This particular data breach story goes all the way back in February of last year, when an unauthorized party had acquired MyFitnessPal user account data. The company became aware of the breach on March 25, 2018 and alerted their user base that usernames, email addresses and hashed passwords had been leaked. They also claimed to be taking measures to secure the data and to be cooperating with authorities.

Then, one year later, on February 11th, the same hacker or group of hackers behind the Dubsmash leak proved to The Register that he had access to this data, relating to 143,606,147 user accounts. The data was up for sale on the dark web. On February 21st, this data was published on the Haveibeenpwned advocacy website.


MyHeritage | Genealogy | 91,991,358

MyHeritage is an online platform that has been used by just under 92 million users to research their family trees. Today, all of these users will find that their records are available for sale on the dark web, in the $20,000 database also containing the Dubsmash and MyFitnessPal data.

Originally, the breach, which occurred in June 2018, was announced by the company on October 26, 2017. Unfortunately, it was found to be available for sale this month, on the 11th. The data was obtained by a security research and published on haveibeenpwned on February 20th.


EyeEm | Photography | 22,000,000

EyeEm (pronounced “I am”) is a picture sharing platform geared at professional photographers which matches creators with brands that might be interested in licensing their work. On February 18th the company announced to its users that as many as 22 million accounts may have been compromised by a major security breach which occurred on the 12th.

Initial reports claimed that the breach did not include any financial information or unhashed passwords. However, on February 16th, haveibeenpwned received access from a source to 19,611,022 unique email addresses, names, usernames, and bios.


8fit | Fitness | 20,180,667

Again reported by The Register, a 1.9 GB file containing the personal records of more than twenty million users of the popular diet and exercise planning platform, 8fit, were revealed to be released on February 11th. The company released a statement claiming that they had become aware of the hack on February 8th. The actual breach appears to have occurred in July, 2018.


Coffee Meets Bagel | Dating | 6,174,513

Valentine’s day turned out to be a little less romantic than expected for more than six million users of the popular American dating and social networking site, Coffee Meets Bagel. On February 14th, the company sent an email out to its community saying that their personal data “may” have been accessed by a third party.

The data breach was originally published by The Register on February 11th and the information released appears to have included users’ full names, email addresses, ages, account registration dates, and genders. The data was up for sale on the Dark Web for $468 in Bitcoin.


Dow Jones | Finance | 2,400,000

For security and compliance concerns, the Dow Jones keeps a database of around 2,400,000 entities that are considered “high risk.” Many of this number are individuals who may have links to terrorism, crime, or who are internationally sanctioned.

Originally discovered by data security researcher Bob Diachenko, Techcrunch reported the leak on February 28th. The Elasticsearch database had been left unsecured on AWS.