News

Hacker Posts Information of 1M Artsy User Accounts for Sale on Dark Web

On February 13, Artsy’s chief technology officer warned account holders of a “data security incident.”

A screenshot of the Artsy homepage

On Wednesday, February 13, Artsy’s chief technology officer, Daniel Doubrovkine, sent out an email to Artsy account holders to warn them of a “data security incident that may have impacted your Artsy account data.”

They say they became aware of the breach on February 11, 2019 — the same day that technology news and opinion website The Register posted an article revealing “620 million accounts stolen from 16 hacked websites” had been posted for sale on the dark web.

The hacker is selling the information for 1,070,000 Artsy accounts, collected in April 2018, for just 0.0289 bitcoin, which is about $104. Currently, Artsy has over 1.3 million registered users.

“While the investigation is ongoing, we believe that the compromised information includes some users’ first and last names, emails, IP addresses, and password hashes,” Doubrovkine wrote in last night’s email. “Please note that Artsy does not store passwords, but only a password hash, which is a type of password protection and is considered industry best practice.”

The passwords must be “cracked” before they can be used — meaning the buyer will siphon through the easier-to-guess options.

Doubrovkine recommends all Artsy users change their password immediately. The Register suggests that this information will likely be attempted to use to hack more personal accounts, like Facebook and email accounts, suggesting affected individuals changing those passwords as well. There does not appear to be financial details in the sales listings.

Doubrovkine says, “[W]e are investigating this fully and taking steps to prevent this type of incident from happening in the future.”

Artsy has enlisted a “leading cyber forensics firm” to work alongside their engineering team to decipher the cause of the hack. They have not yet been informed of any incidents of fraud relating to the data breach, and “have no evidence that commercial or financial information was involved.”

Artsy was not able to offer additional comment at the time.

comments (0)