Hackers scraped personal data from thousands of women shopping on plus-size clothing sites, and it points to a new trend that a cybersecurity expert calls 'uniquely terrible'
- Hackers obtained personal data on thousands of plus-size women, possibly with the aim of scamming them with products like false weight loss supplements, according to cybersecurity firm DynaRisk.
- The hackers also discussed selling the women's data to third parties for targeted advertising, according to posts made on hacker forums obtained by DynaRisk and viewed by Business Insider.
- The breach shows how hackers are attempting to cash in on the lucrative personal-data market driven by online advertising.
- Visit Business Insider's homepage for more stories.
In a message recently uploaded to a dark web forum, a hacker solicited bids on an illegally obtained commodity. This wasn't typical contraband, like drugs or porn - it was a set of personal data from thousands of plus-size women.
Others in the dark web forum discussed how to monetize the women's personal data by targeting them with scams meant to sell weight-loss supplements or plus-size clothing. The original poster included a sample set of a few thousand women's data, most of whom lived in the US, suggesting the full set included hundreds of thousands of data points.The hacker gained unauthorized access to the data from women's clothing websites, according to DynaRisk, a cybersecurity firm who detected the activity and shared its findings with Business Insider. DynaRisk determined that the data was exposed in late August.
The hackers' activity is notable because it reflects a new strategy hackers are using to maximize their profit from illegally obtained data, according to DynaRisk CEO Andrew Martin.
"This is not something we come across every day, and this is really uniquely terrible," Martin said.
Breaches of user data are fairly commonplace, but it's less common for hackers to aggregate data on a specific demographic - in this case, plus-size women - seemingly with the aim of selling the data to bad actors who believe they have a higher chance of marketing specific, possibly fraudulent products to that demographic.
"Most cybercriminals will find a list of 500 million hacked email addresses and they'll bombard them with spam, but they don't know what to send them ... in this case, they know a message that might resonate with these women, and they might be seeking out this specific type of product," Martin said.
While the women's data was illegally obtained, the hackers' strategy mirrors a legitimate market driven by the personal data economy. Online advertisers are willing to pay top dollar to companies that aggregate demographic data, like Facebook or Google - Investopedia estimates that Facebook owns as much as $70 million-worth of personal data.It's even possible that a legitimate company could use personal data provided by illicit sources like this dark web forum, according to Martin, and it would be almost impossible to track whether the company had done so.
"A company could end up buying a list from a third-party data broker, like a 'gray market' provider, and that company might have a don't ask, don't tell approach ... so these people could be targeted with legitimate products through an illegitimate route," Martin said.
As personal data becomes increasingly lucrative, methods like these are likely to become more common. High-profile hacks and data breaches are on the rise, and selling bundles of demographic data provides yet another incentive for hackers.
Get the latest Google stock price here.