AlphaBay, possibly the largest active dark web marketplace at the moment, has paid a hacker after he successfully exploited vulnerabilities in the internal mailing system of the website and hijacked over 200,000 private unencrypted messages from several users.
The hacker, using the pseudonym Cipher0007, disclosed two "high-risk bugs" two days ago on Reddit that allowed him to gain access to troves of private messages belonging to buyers and sellers on the dark website, AlphaBay admins announced on Tuesday.
It turns out that the messages were not encrypted by default, which gave the hacker ability to view all messages between vendors and buyers selling and purchasing everything from illicit drugs to exploits, malware, and stolen data. To prove he had successfully compromised the AlphaBay website, the hacker posted five screenshots of random user private conversations, showing that AlphaBay users had openly exchanged their names, personal addresses and tracking numbers without encryption.
Over 218,000 Private Messages of Anonymous Dealers Exposed
"We have been made aware of the bug that allowed an outsider to view marketplace private messages, reads a statement from the AlphaBay administrators on Pastebin, and "we believe that the community has the right to be made aware of what information was obtained."
A first vulnerability allowed the hacker to obtain more than 218,000 personal messages sent between their users within the last 30 days, while the second bug allowed him to obtain a list of all usernames and their respective user IDs. However, the AlphaBay admins assured that those users who did not receive any message in their inboxes in the last 30 days were not affected. They also claimed the bugs were only exploited by one single hacker.
AlphaBay Fixes the Bugs and Pays the Hacker
The admins also assured their users that AlphaBay forum messages, order data, and Bitcoin addresses of users are all safe, and the issue was fixed just within four hours after the Reddit user went public. "The attacker was paid for his findings, and agreed to tell us the methods used to extract such information," AlphaBay admins said. "Our developers immediately closed the loophole in order to protect the security of our users."
Meanwhile, they advised AlphaBay users to make use of a PGP key and always encrypt their sensitive data, including delivery addresses, Bitcoin wallet IDs, tracking numbers, and others. Since AlphaBay is a Dark Web marketplace, which is only accessible via the Tor Browser, the bug could have been exploited by law enforcement to unmask users real identities who deal in drugs and other illegal activities.
But, AlphaBay members using the PGP key and encrypting their account details would be on a safer side. This is not the very first time when a hacker discovered a flaw in the AlphaBay dark website. AlphaBay faced a similar vulnerability in April last year when its users' private messages were left exposed due to a flaw in its newly-launched API, allowing an attacker to obtain 13,500 private messages.