A thriving online bazaar selling stolen payment card data has been hacked in a heist that leaked the records for more than 26 million cards, KrebsOnSecurity reported on Tuesday.
The 26 million figure isn’t significant only to the legitimate consumers and businesses who own the stolen cards or the financial institutions that issued them. Fortunately for the card owners, the database is now in the hands of affected financial institutions, who can invalidate and replace the cards.
The number, therefore, is perhaps a bigger deal because it represents a significant fraction of the world’s stolen-card inventory. Krebs said that Gemini Advisory, a company that monitors dozens of underground markets trafficking stolen card data, currently tracks a total of 87 million credit and debit card records. The haul of 26 million cards means that about a third of that supply has been taken out of circulation in a single swipe.
“With over 78% of the illicit trade of stolen cards attributed to only a dozen Dark Web markets, a breach of this magnitude will undoubtedly disturb the underground trade in the short term,” Gemini co-founder and CEO Andrei Barysevich told Krebs. “However, since the demand for stolen credit cards is on the rise, other vendors will undoubtedly attempt to capitalize on the disappearance of the top player.”
The hacked market is called BriansClub, a site available at BriansClub[.]at that, for years, has imitated Krebs’ site and likeness. The data taken in the hack shows that BriansClub acquired 1.7 million cards in 2015, 2.9 million in 2016, 4.9 million in 2017, 9.2 million in 2018, and 7.6 million in the first eight months of this year. Most of the pilfered data is composed of “dumps,” the term card thieves use to describe data that’s stored on the magnetic stripe of payment cards. The stolen dumps can be transferred to new cards that crooks use to buy electronics, gift cards, and other large-ticket items from big-box stores. An analysis based on how many of the cards had expiration dates in the future suggests that more than 14 million of the leaked records could still be valid.
Based on the pricing tiers listed on BriansClub, the haul represents about $414 million worth of lost sales, security intelligence firm Flashpoint told Krebs. By tracking the cards that were once available for sale and later removed, Flashpoint estimated that BriansClub has sold data for about 9.1 million cards for about $126 million. Federal prosecutors often value each stolen credit card record at $500, a sum that represents the average cost incurred from each compromised holder. Based on that estimate, the 9.1 million cards translates to about $2.27 billion in losses.