For the last two weeks, the tech world's security teams have been practically under siege. On an almost daily basis, new collections of data from hundreds of millions of stolen accounts have appeared on the dark web, ripped from major web firms and sold for as little as a few hundred dollars each worth of bitcoins. And behind each of those clearance sales has been one pseudonym: "Peace_of_mind."
"Peace_of_mind," or "Peace," sells data on the dark web black market TheRealDeal. His or her "store" page has a 100-percent satisfaction rating and feedback like "A+++," and "follows up with your questions and delivers promptly." And Peace's growing selection of merchandise includes 167 million user accounts from LinkedIn, 360 million from MySpace, 68 million from Tumblr, 100 million from the Russian social media site VK.com, and most recently another 71 million from Twitter, adding up to more than 800 million accounts and growing.
Just how Peace obtained that data is far from clear. Much of it is from older breaches, dating back to as early as 2012. But the consequences have already been serious—likely due in part to victims reusing passwords between sites—and include hackers compromising the Twitter accounts of Mark Zuckerberg, Twitter founder Ev Williams, a multitude of celebrities including Drake and Katie Perry and likely many more less-visible attacks. In fact, these breaches are so large it's hard to imagine anyone with a digital life who is not in some way affected.
Earlier this week, WIRED approached Peace through the RealDeal market messaging system and interviewed him or her via encrypted, anonymous IM. Almost none of Peace's claims could be confirmed. Take them only as the unverified statements of a mysterious, pseudonymous, brazenly criminal hacker. Here, with some editing for clarity, is our conversation, which took place on Monday, June 6.
[Editors' note: After some initial back-and-forth to verify Peace is the same person WIRED contacted on the RealDeal black market…]
WIRED: My first question, how have you got your hands on all these collections of breached user credentials?
Peace: Well, all these have been hacked through [a] 'team,' if you want to call it that, of Russians. Some have been my work, others by another person.
Are you Russian, yourself?
Can you tell me where you're based?
At this point due to multiple investigations I would not want to say.
Is there a name for your "team"?
At this time I can not give out details like that, sorry.
It seems like much of the data you're selling is old (though still clearly useful for hackers.) The Linkedin data is from 2012, for instance, and the MySpace data also seems to be from 2013. How did it happen that you came to possess this old data and are only selling it now?
It's fun f**king around with these people—MySpace, Tumblr, LinkedIn—as they threaten to investigate and cooperate with law enforcement. Peace
Well, these breaches were shared between the team and used for our own purposes. During this time, some of the members started selling to other people. The people who we sold to [were] selective, not random or in public forums and such, but people who would use [the data] for there own purposes and not resell or trade. Although [after] long enough, certain individuals obtained the data and started to sell [it] in bulk ($100/100k accounts, etc.) in the public. After noticing this, I decided for myself to start making a little extra cash to start selling publicly, as well.
So you're doing this separately from the rest of your crew? Are they OK with you selling this data on your own?
Well this crew is no longer together. The leader "retired" if you want to call it that, a long time ago, however a certain some one (Tessa) started selling without permission. Most of the members went on to do other things and a lot aren't in contact, so there wasn't any "consequence" for his actions. For me personally given the fact that it was long ago I thought I'd join in and start selling, too. [Editors' note: Someone using the handle "Tessa" has in fact provided 32 million Twitter users' data to the breach tracking website LeakedSource.com.]
Why didn't the crew want to sell the whole collection earlier?
It is not of value if data is made public. We had our own use for it and other buyers did as well. In addition buyers expect this type of data to remain private for as long as possible. There are many [databases] not made public for that reason and [in] use for many years to come.
What was your "own use" for it? How were you able to make more by selling the data privately?
Well, [the] main use is for spamming. There is a lot of money to be made there, as [well as] in selling to private buyers looking for specific targets. As well, password reuse—as seen in recent headlines of account takeovers of high profile people. Many simply don't care to use different passwords which allows you to compile lists of Netflix, Paypal, Amazon, etc. to sell in bulk. (50K/100K/etc)
How much would you say the crew made selling parts of the LinkedIn database privately, for instance, before you started selling the whole collection?
I don't think that would be in my best interest to disclose that information. However I can say for me personally, selling publicly, [I've made] $15K for LinkedIn.
How much for the MySpace and Tumblr data?
For both, almost $20K.
Like, $10,000 each?
More for Myspace. For Tumblr a couple Gs in total…but mostly myspace due to the fact that Tumblr had salt for the hashes.
The Myspace data was also hashed, wasn't it? But not salted?
Yes, it was hashed, however no salt. [Editors' note: For more information on hashing and salting, read this explainer.]
How much for the Fling data?
That was about $1,200 or something like that, can't remember exact amount.
Do you have more collections that you haven't put up for sale yet?
Yes, about another 1B users or so, again in the same timeframe: 2012-2013.
From which services?
Social media and email services, mainly.
Which sites, I mean? Can you be specific?
Well, I can't say for now. I don't want those companies getting a head start sending out password resets.
When do you plan to start selling the rest?
Sometime this week for my next [one.] I will probably do one every week. [Editors' note: Peace put up the Twitter data for sale on Thursday morning, three days after this conversation.]
How many sites/services are there in total?
Hmm…about seven which are over the 100M user count. If I include smaller ones—20M, 60M, etc.— another five.
How were you or your crew able to compromise all these sites?
Well, that's up to the companies and law enforcement to find out.
I hope this doesn't sound rude, but why did you agree to talk to me?
No, well, it's fun fucking around with these people—MySpace, Tumblr, LinkedIn—as they threaten to investigate and cooperate with law enforcement. I'd rather give them a bone to chew on, so to speak, make them feel like they can catch me or others.
And you're sure you can evade law enforcement?
Haha, yes, where I am at.
It seems like a lot of risk for the $25K or so you say you've made so far.
Well, that is publicly. And in less than a month. It is no risk for me, as they can't do anything. Like I said, quick easy cash in about a month. [I] should have enough to go buy a nice car.
Are you confident you won't be caught because you're in Russia? Don't the Russian police occasionally extradite hackers? A billion-plus passwords might be enough to get some attention.
Well, it is a little more complicated than that, but I have plans in case something happens.
Where does your name "peace_of_mind" come from?
Well, it was just supposed to be "peace," however [that] was taken on [the Real Deal dark web] market. [It] just came to mind, really, nothing special.
Why "peace," then?
Can you prove that you really have a billion more passwords from 12 sites ready to sell? Readers will be skeptical.
Tell them to check their inbox for a password reset in the next week or so.
[Editor's note: WIRED requested evidence of that still-to-come breached data. Peace initially offered to send some sort of sample of the data and we agreed to check back in the next day or two. But after two days Peace still hadn't provided anything.]