Maria Montero

ClassPass, Gfycat, StreetEasy hit in the latest round of massive outages …

In just one week, a single seller puts nearly 750 million records from 24 pirated sites for sale. Now the hacker has struck again.

The hacker, whose identity is unknown, began posting user data from several major websites – including MyFitnessPal, 500px and Cafe Cumple Bagel, and most recently Houzz and Roll20 – earlier this week. This weekend, the hacker added a third round of data breaches – another eight sites, totaling another 91 million user registrations – to his dark cloth market.

To date, the hacker has disclosed breaches to 30 companies, totaling about 841 million records.

According to the latest announcements, the sites include 20 million accounts from, Onebip, Storybird and Jobandtalent, as well as eight million accounts on Gfycat, 1.5 million from ClassPass accounts, 60 million PiZap accounts, and other accounts looking for a million StreetEasy property.

The hacker is selling the eight additional hacked sites for 2.6 bitcoin, or about $ 9,350.

From the samples that TechCrunch has seen, the accounts include some variations of usernames and email addresses, names, places of other country and region account information, account creation dates, hashed passwords in various formats, and .

We have not found any financial information on the samples.

Little is known about the hacker, and it is unclear exactly how these sites were hacked.

Ariel Ainhoren, leader of the investigation team at Israeli security firm IntSights, told TechCrunch this week that the hacker is likely using the same exploit to attack each of the sites and download the backend databases.

“As most of these sites were not known as breaches, it appears that we are dealing with a hacker who did the attacks on his own, and not just someone who obtained it from somewhere else and now we are just reselling it,” Ainhoren said. The software in question, PostgreSQL, an open source database project, said it “is currently not aware of any unpatched or patched vulnerabilities” that may have caused the breaches.

We contacted several of the companies prior to publication. Gfycat responded, saying it was investigating the breach, and Pizap said it was “not aware of any attacks and will investigate immediately.” We will update once it arrives.