January 24, 2017
AlphaBay, possibly the largest active dark web marketplace at the moment, has paid a hacker after he successfully exploited vulnerabilities in the internal mailing system of the website and hijacked over 200,000 private unencrypted messages from several users.
The hacker, using the pseudonym Cipher0007, disclosed two “high-risk bugs” two days ago on Reddit that allowed him to gain access to troves of private messages belonging to buyers and sellers on the dark website, AlphaBay admins announced on Tuesday.
It turns out that the messages were not encrypted by default, which gave the hacker ability to view all messages between vendors and buyers selling and purchasing everything from illicit drugs to exploits, malware, and stolen data.
To prove he had successfully compromised the AlphaBay website, the hacker posted five screenshots of random user private conversations, showing that AlphaBay users had openly exchanged their names, personal addresses and tracking numbers without encryption.
“We have been made aware of the bug that allowed an outsider to view marketplace private messages, reads a statement from the AlphaBay administrators on Pastebin, and “we believe that the community has the right to be made aware of what information was obtained.”
A first vulnerability allowed the hacker to obtain more than 218,000 personal messages sent between their users within the last 30 days, while the second bug allowed him to obtain a list of all usernames and their respective user IDs.