Skip to main content

Operation Cookie Monster shuts off hacker marketplace selling millions of stolen accounts

Operation Cookie Monster shuts off hacker marketplace selling millions of stolen accounts

/

The Genesis Marketplace sold hackers access credentials that went beyond just usernames and passwords. Here’s how to tell if you were affected and what to do about it.

Share this story

Screenshot of the Genesis Market site, with a banner saying that it’s been seized and the logos of several law enforcement agencies.
The screen you’ll see if you visit Genesis Market now.
Image: Europol

Several law enforcement agencies have teamed up to take down Genesis Market, a website selling access to “over 80 million account access credentials,” which included the standard usernames and passwords, as well as much more dangerous data like session tokens. According to a press release from the US Department of Justice, the site was seized on Tuesday. The European Union Agency for Law Enforcement Cooperation (or Europol) says that 119 of the site's users have been arrested.

Genesis Marketplace has been around since 2018, according to the Department of Justice, and was “one of the most prolific initial access brokers (IABs) in the cybercrime world.” It let hackers search for certain types of credentials, such as ones for social media accounts, bank accounts, etc., as well as search for credentials based on where in the world they came from.

The agencies have teamed up with HaveIBeenPwned.com to make it easy for the public to check if their login credentials were stolen, and I’d highly recommend doing so — because of the way Genesis worked, this isn’t the typical “just change your password and you’ll be fine scenario.” For instructions on how to check whether Genesis was selling your stolen info, check out the writeup from Troy Hunt, who runs HaveIBeenPwned.

(The TL;DR is that you should sign up for HIBP’s email notification service with all of your important email addresses, and then be sure to click the “Verify email” button in the confirmation email. Just searching for your email on the site won’t tell you if you were impacted.)

We’ll go into what you can do to protect yourself if it turns out your credentials were available on Genesis — here’s a link to skip to that section, just in case you’ve got some really important accounts — but first, it’s useful to understand how the marketplace worked. Generally, these sorts of enterprises will sell username and password combinations, along with other personal info. And while you certainly don’t want those floating around, two-factor authentication can help protect you even if your password has been compromised.

While Genesis Marketplace traded in usernames and passwords, it also sold access to users’ cookies and browser fingerprints as well, which could let hackers bypass protections like two-factor authentication. Cookies — or login tokens, to be specific — are files that websites store on your computer to show that you’ve already logged in by correctly entering your password and two-factor authentication information. They’re the reason you don’t have to log into a website each time you visit it. (They’re also the reason that the joint effort to take down Genesis was given the delightful codename “Operation Cookie Monster.”)

They undoubtedly make the web convenient to use, but they pose a security risk if someone were to get a hold of them — say, by getting a user to download a piece of malware and then uploading them to a hacker’s servers. According to the DOJ, the data sold on Genesis came from “over 1.5 million compromised computers around the world.”

Web developers, however, know about this possibility and will often build in additional protections. One is called fingerprinting, which is a technique that looks at a ton of information about your computer, like what browser you’re using, what fonts you have installed, what hardware you have, etc. Fingerprinting is often used for advertising but can be helpful for security as well; if a cookie is associated with a Mac running Firefox, it’d be a little suspicious if it was suddenly used to access an account using Chrome on a Windows PC.

So Genesis stole the fingerprints, too. What’s more, it even provided a browser extension that let hackers spoof the victim’s fingerprint while using their login cookie to gain access to an account, according to a 2019 report from ZDNET.

YouTuber Linus Tech Tips has a great breakdown of how this type of attack works, as the technique was recently used to take over the channel. (Though, to be clear, it appears the hacker got their credentials by targeting them directly, not via a marketplace like Genesis.)

What to do if your info was on Genesis Marketplace

So you got an email from Have I Been Pwned saying that your data was found in the Genesis dataset. According to the FBI and Dutch police, your first step should be to log out of all your accounts on every web browser on your computer before clearing your cookies and caches. (Here’s how to do that in Chrome, Edge, Firefox, and Safari.) If you’re given the option, be sure to delete the data for all time, not just the past week or so, just to be safe. This will make sure that you’re logged out of everything and should render any session tokens you had invalid.

After this step, you are not done. If your data was stolen by malware, it’s very possible it’s still running on your device, ready to steal the new login cookies and upload them to another marketplace. That’s why you need to run a virus scan or completely reset your computer before logging back into anything. Personally, I use Malwarebytes whenever I need to hunt down viruses, but here are some quick guides on how to get rid of malware on Windows and on Macs. (Yes, Macs get viruses, too.)

After that, you should be okay to log back into your accounts. It’s worth checking out security expert Brian Krebs’ Mastodon thread for information on how exactly computers get infected because it’s not always via the obvious, easy-to-spot methods like files named “ClickMe_NOTAVirus.exe.” Knowing some of the warning signs to watch out for and common infection vectors like file-sharing sites can help keep you from getting reinfected by login-stealing malware.