A thriving online bazaar selling stolen payment card data has been hacked in a heist that leaked the records for more than 26 million cards,
KrebsOnSecurity reported on Tuesday. The 26 million figure isn't significant only to the legitimate consumers and businesses who own the stolen cards or the financial institutions that issued them. Fortunately for the card owners, the database is now in the hands of affected financial institutions, who can invalidate and replace the cards.
The number, therefore, is perhaps a bigger deal because it represents a significant fraction of the world's stolen-card inventory. Krebs said that Gemini Advisory, a company that monitors dozens of underground markets trafficking stolen card data, currently tracks a total of 87 million credit and debit card records. The haul of 26 million cards means that about a third of that supply has been taken out of circulation in a single swipe.
The hacked market is called BriansClub, a site available at BriansClub[.]at that, for years, has imitated Krebs' site and likeness. The data taken in the hack shows that BriansClub acquired 1.7 million cards in 2015, 2.9 million in 2016, 4.9 million in 2017, 9.2 million in 2018, and 7.6 million in the first eight months of this year. Most of the pilfered data is composed of "dumps," the term card thieves use to describe data that's stored on the magnetic stripe of payment cards. The stolen dumps can be transferred to new cards that crooks use to buy electronics, gift cards, and other large-ticket items from big-box stores. An analysis based on how many of the cards had expiration dates in the future suggests that more than 14 million of the leaked records could still be valid.