Cyber Incident Victim: lookbook.nu

In May 2016, a hacker using the alias "Peace of Mind" advertised the sale of 1.1 million Lookbook.nu user accounts on the dark net. The compromised data included email addresses and plaintext passwords, priced at BTC 0.1519 (approximately $102.23 USD). By June 2016, the dataset had been sold six times, with one buyer under the pseudonym "6969" confirming the data's validity and usefulness for spam campaigns, scams, and credential reuse attacks due to Lookbook.nu's fashion-focused user base. The breach posed additional risks because Lookbook.nu permitted users to authenticate via Facebook credentials, raising concerns that compromised Lookbook accounts could facilitate unauthorized access to linked Facebook profiles. However, no corroborated reports confirmed whether Facebook accounts were exploited through this vector or whether Lookbook.nu users had experienced direct account takeovers at that time.

The origin and timeline of the data compromise remained unclear, with no public confirmation from Lookbook.nu regarding the breach's occurrence, attack methodology, or detection. The article did not specify whether company representatives acknowledged the incident or initiated containment measures such as password resets, user notifications, or system audits. The exposure of plaintext passwords indicated potential security deficiencies in Lookbook.nu's credential storage practices, as industry standards typically mandate cryptographic hashing. The sale's persistence on dark net markets suggested ongoing dissemination of the dataset, amplifying risks of credential-stuffing attacks against users who reused passwords across multiple platforms. No technical details about affected systems or intrusion methods were disclosed in the available reporting.