A few months ago we exclusively reported on a Dark Web vendor selling 1 Billion user accounts stolen Attack.Databreach from the Chinese Internet giants . Now , another vendor going by the handle of CosmicDark is selling Attack.Databreach a database containing 100,759,591 user accounts stolen Attack.Databreach from of Youku Inc. , a popular video service in China . The database according to vendor ’ s listing was leaked Attack.Databreach in 2016 and leaked Attack.Databreach on the Internet this year . Although it is unclear how the database was stolen Attack.Databreach CosmicDark is selling Attack.Databreach the whole package for USD 300 ( BTC 0.2559 ) . The data contains emails and passwords decrypted with MD5 & SHA1 hashes . According to the sample data ( 552 accounts ) provided by CosmicDark , most of the emails are based on @ 163.com , @ qq.com , and @ xiaonei.com . It must be noted that based on HackRead ’ s research the encrypted passwords provided in the sample data have already been decrypted and publically available on the Internet . Also , HaveIbeenpwned , a platform where you can check if your account has been compromised Attack.Databreach has also confirmed the breach Attack.Databreach . It is unclear whether Youku Inc. is aware of the breach or has notified its users , however it is evident that it poses a massive privacy threat to their users . Furthermore , vendors in the same marketplace are selling Attack.Databreach 21 million Gmail and Yahoo accounts , 640,000 decrypted PlayStation accounts , millions of accounts from 11 hacked Bitcoin forums and millions of accounts stolen Attack.Databreach from 25 hacked vBulletin forums .

Hackers are reportedly selling Attack.Databreach stolen data from the Qatar National Bank ( QNB ) and UAE InvestBank on the dark web . Both the banks suffered major data breaches Attack.Databreach in 2016 and the data of thousands of customers was later leaked Attack.Databreach online by hackers . Now , even as tensions escalate between the two Middle Eastern nations , cybercriminals appear to be cashing in on the underground cybercrime community . Hackers hit Attack.Databreach the QNB in April 2016 and the UAE InvestBank in May 2016 . The Sharjah-based InvestBank 's stolen data was leaked Attack.Databreach online by a hacker going by the pseudonym `` Buba '' , who demanded Attack.Ransom a $ 3m ransom Attack.Ransom from the bank . The stolen data , including customers ' financial details as well as personal details such as full names , addresses , passport numbers , phone numbers , account numbers , credit card numbers along with their CVV codes and more was leaked Attack.Databreach online by the hacker after the bank refused to pay up the ransom Attack.Ransom . In the case of the QNB , a hacker group going by the pseudonym `` Bozkurt Hackers '' claimed responsibility for the data breach Attack.Databreach . Hackers leaked Attack.Databreach 1.4GB data , which included customers ' financial records , credit card numbers and PIN codes as well as banking details pertaining to the Al-Thani Qatar Royal Family and Al Jazeera journalists . The stolen data from the QNB hack Attack.Databreach as well as the InvestBank data breach Attack.Databreach is now up for sale on an unspecified yet popular dark web marketplace , HackRead reported . This has not been independently verified by IBTimes UK . InvestBank 's data is allegedly being sold for a mere 0.0071 bitcoins ( $ 18.86 , £14.91 ) . The data on sale includes bank accounts , card details , customer IDs , branch codes as well as account holders ' full names . The stolen and leaked data from the QNB , which the bank later acknowledged may have been accurate , is also on sale for 0.0071 bitcoins . The data listed for sale includes the previously leaked QNB records such as bank accounts as well as card and personal details of customers . Dark web data sales from major breaches Attack.Databreach are not uncommon . In 2016 , a series of major breaches Attack.Databreach affecting several leading tech firms including LinkedIn and Dropbox , eventually saw hackers selling Attack.Databreach hacked and stolen databases on the dark web .

Hackers are reportedly selling Attack.Databreach stolen data from the Qatar National Bank ( QNB ) and UAE InvestBank on the dark web . Both the banks suffered major data breaches Attack.Databreach in 2016 and the data of thousands of customers was later leaked Attack.Databreach online by hackers . Now , even as tensions escalate between the two Middle Eastern nations , cybercriminals appear to be cashing in on the underground cybercrime community . Hackers hit Attack.Databreach the QNB in April 2016 and the UAE InvestBank in May 2016 . The Sharjah-based InvestBank 's stolen data was leaked Attack.Databreach online by a hacker going by the pseudonym `` Buba '' , who demanded Attack.Ransom a $ 3m ransom Attack.Ransom from the bank . The stolen data , including customers ' financial details as well as personal details such as full names , addresses , passport numbers , phone numbers , account numbers , credit card numbers along with their CVV codes and more was leaked Attack.Databreach online by the hacker after the bank refused to pay up the ransom Attack.Ransom . In the case of the QNB , a hacker group going by the pseudonym `` Bozkurt Hackers '' claimed responsibility for the data breach Attack.Databreach . Hackers leaked Attack.Databreach 1.4GB data , which included customers ' financial records , credit card numbers and PIN codes as well as banking details pertaining to the Al-Thani Qatar Royal Family and Al Jazeera journalists . The stolen data from the QNB hack Attack.Databreach as well as the InvestBank data breach Attack.Databreach is now up for sale on an unspecified yet popular dark web marketplace , HackRead reported . This has not been independently verified by IBTimes UK . InvestBank 's data is allegedly being sold for a mere 0.0071 bitcoins ( $ 18.86 , £14.91 ) . The data on sale includes bank accounts , card details , customer IDs , branch codes as well as account holders ' full names . The stolen and leaked data from the QNB , which the bank later acknowledged may have been accurate , is also on sale for 0.0071 bitcoins . The data listed for sale includes the previously leaked QNB records such as bank accounts as well as card and personal details of customers . Dark web data sales from major breaches Attack.Databreach are not uncommon . In 2016 , a series of major breaches Attack.Databreach affecting several leading tech firms including LinkedIn and Dropbox , eventually saw hackers selling Attack.Databreach hacked and stolen databases on the dark web .

Hackers are likely exploiting the easy-to-find vulnerabilities , according to the security researcher who warned Vulnerability-related.DiscoverVulnerability the Pentagon of the flaws months ago . The vulnerable systems could allow hackers or foreign actors to launch cyberattacks through the department 's systems to make it look as though it originated from US networks . Dan Tentler , founder of cybersecurity firm Phobos Group , who discovered Vulnerability-related.DiscoverVulnerability the vulnerable hosts , warned Vulnerability-related.DiscoverVulnerability the flaws are so easy to find Vulnerability-related.DiscoverVulnerability that he believes he was probably not the first person to find Vulnerability-related.DiscoverVulnerability them . `` It 's very likely that these servers are being exploited in the wild , '' he told me on the phone . While the Pentagon is said to be aware Vulnerability-related.DiscoverVulnerability of the vulnerable servers , it has yet to implement any fixes Vulnerability-related.PatchVulnerability -- more than eight months after the department was alerted Vulnerability-related.DiscoverVulnerability . It 's a unique case that casts doubts on the effectiveness of the Trump administration 's anticipated executive order on cybersecurity , which aims to review all federal systems of security issues and vulnerabilities over a 60-day period . The draft order was leaked Attack.Databreach last week , but it was abruptly pulled minutes before it was expected to be signed on Tuesday . Tentler , a critic of the plans , argued that the draft plans are `` just not feasible . '' `` It 's laughable that an order like this was drafted in the first place because it demonstrates a complete lack of understanding what the existing problems are , '' he said . `` The order will effectively demand a vulnerability assessment on the entire government , and they want it in 60 days ? It 's been months -- and they still have n't fixed it , '' he said . In the past year , the Pentagon became the first government department to ease up on computer hacking laws by allowing researchers to find and report bugs and flaws in systems in exchange for financial rewards . Trump aides ' use of encrypted messaging may violate records law Using disappearing messages in government could be a `` recipe for corruption , '' says one expert . Researchers must limit their testing to two domains -- `` defense.gov '' ( and its subdomains ) and any `` .mil '' subdomain . In an effort to pare down the list of hosts from `` all public Department of Defense hosts '' to `` only the ones in scope , '' Tentler was able to identify several hosts that answered to the domain names in scope . `` There were hosts that were discovered Vulnerability-related.DiscoverVulnerability that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country , who could want to implicate the US as culprits in hacking attacks if they so desire , '' he told me . `` The flaw could allow politically motivated attacks that could implicate the US , '' he added . In other words , a foreign hacker or nation-state attacker could launch a cyberattack and make it look like it came from the Pentagon 's systems . Tentler argued that the hosts were covered by the scope of the wildcard domains . A Pentagon spokesperson confirmed Tuesday that the vulnerabilities had been fixed Vulnerability-related.PatchVulnerability , and encouraged researchers to continue to submit Vulnerability-related.DiscoverVulnerability bugs and vulnerabilities , which are covered under the Pentagon 's vulnerability disclosure policy .

A security lapse at content distribution network provider Cloudflare that resulted in customer data being leaked Attack.Databreach publicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breach Attack.Databreach . The review showed no evidence that attackers had exploited Vulnerability-related.DiscoverVulnerability the flaw prior to it being discovered Vulnerability-related.DiscoverVulnerability and patched Vulnerability-related.PatchVulnerability , Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leaked Attack.Databreach . Cloudflare ’ s inspection of tens of thousands of pages that were leaked Attack.Databreach from its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alerted Vulnerability-related.DiscoverVulnerability Cloudfare to the bug last month . The company claimed it fixed Vulnerability-related.PatchVulnerability the problem in a matter of hours after being notified Vulnerability-related.DiscoverVulnerability of the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick up Attack.Databreach something confidential . The same would have been true for a malicious attacker , who had somehow known about Vulnerability-related.DiscoverVulnerability the bug and exploited Vulnerability-related.DiscoverVulnerability it before Cloudflare ’ s fix Vulnerability-related.PatchVulnerability , he said . The customers most at risk of having their data exposed Attack.Databreach were those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breaches Attack.Databreach and many organizations continue to be exposed Attack.Databreach to the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigated Vulnerability-related.PatchVulnerability by now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leaked Attack.Databreach and the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leaked Attack.Databreach is being deleted as well . That makes it hard to quantify the scope of the data breach Attack.Databreach outside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .