AlphaBay admins announced today they'd plugged a security hole that allowed an attacker to gain access to around 218,000 private user messages.

The bug was disclosed two days ago on Reddit by a user named Cipher0007, who also posted five screenshots of random user private conversations.

Proof #1

Proof #2

Proof #3

Proof #4

Proof #5

 

Earlier today, AlphaBay admins confirmed the bug and issued a statement regarding the incident, admitting the intruder obtained the content of over 218,000 private messages, sent in the last 30 days. Reddit DarkNetMarkets admins confirmed the bug on the same day.

AlphaBay admins also acknowledged that a second bug, also discovered by Cipher0007, allowed him to obtain a list of all usernames and their respective IDs (in the AlphaBay database).

!----- What did the attacker obtain? -----
1) Marketplace PMs not older than 30 days, up to ID 2609452. IDs are not always sequential, as 218,000 messages were obtained.
*** Conversations who did not receive a message in the last 30 days were not affected, as they were automatically purged *****
2) List of user IDs + username (nothing more).

Bug could be used to deanonymize some buyers/sellers

AlphaBay is a marketplace on the Dark Web, accessible via the Tor Browser only, where users can sell and buy illegal products such as drugs, exploits, malware, stolen data, guns, and more.

Users often discuss payment and order details via private messages, where they exchange contact and payment information.

To protect its users, AlphaBay admins allow them to use a PGP key and encrypt sensitive information such as delivery addresses, Bitcoin wallet IDs, tracking numbers, and others.

The bug, if exploited, would have allowed law enforcement to unmask some details about buyers and sellers, but would not have been useful in case AlphaBay members used the PGP key and encrypted their account details.

If another attacker also discovered the same issue, he could use the same information to extort AlphaBay sellers and customers, threatening to reveal their identity to law enforcement.

AlphaBay fixes issue, pays Cipher0007

According to AlphaBay admins, they paid Cipher0007 an undisclosed fee to reveal the methods he used to obtain access to private messages and user IDs.

AlphaBay suffered a similar incident in April 2016, when a bug in its newly-launched API allowed an attacker to obtain access to 13,500 private messages.

Shortly after his AlphaBay discovery, user Cipher0007 also found another bug in the Hansa Dark Web marketplace that allowed him to compile a list of Hansa usernames. The bug was reported to Hansa, according to Reddit DarkNetMarkets admins.