ClassPass, Gfycat, StreetEasy hit in latest round of mass site hacks

In just a week, a single seller put close to 750 million records from 24 hacked sites up for sale. Now, the hacker has struck again.

The hacker, whose identity isn’t known, began listing user data from several major websites — including MyFitnessPal, 500px and Coffee Meets Bagel, and more recently Houzz and Roll20 — earlier this week. This weekend, the hacker added their third round of data breaches — another eight sites, amounting to another 91 million user records — on their dark web marketplace.

To date, the hacker has revealed breaches at 30 companies, totaling some 841 million records.

According to the latest listing, the sites include 20 million accounts from, OneBip, Storybird, and Jobandtalent, as well as eight million accounts at Gfycat, 1.5 million ClassPass accounts, 60 million Pizap accounts, and another one million StreetEasy property searching accounts.

In all, the hacker is selling the eight additional hacked sites for 2.6 bitcoin, or about $9,350.

From the samples that TechCrunch has seen, the accounts include some variations of usernames and email addresses, names, locations by country and region, account creation dates, passwords hashed in various formats, and other account information.

We haven’t found any financial data in the samples.

Little is known about the hacker, and it remains unclear exactly how these sites were hacked.

Ariel Ainhoren, research team leader at Israeli security firm IntSights, told TechCrunch this week that the hacker was likely using the same exploit to target each of the sites and dump the backend databases.

“As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it,” said Ainhoren in an email to TechCrunch earlier this week. The software in question, PostgreSQL, an open-source database project, said it was “currently unaware of any patched or unpatched vulnerabilities” that could have caused the breaches.

We contacted several of the companies. Only Gfycat responded, saying it was launching an investigation. We’ll update once we know more.

This post was originally posted at

Leave a Reply

Your email address will not be published. Required fields are marked *