The Dutch police have released an online tool that helps people check if their email and digital fingerprint data were offered for purchase on the now dismantled Genesis Market, the largest credential-selling marketplace on the regular web.
Online fingerprints are identifiers combining hardware profiles, IP addresses, screen size, battery info, OS version, firmware version, and other secondary information, and are used by websites to identify valid points of access of legitimate account owners.
They prevent attackers who have somehow stolen user credentials from accessing other people’s accounts, detecting an irregularity, and requesting additional validation.
The Genesis market was the largest marketplace of this kind, specializing in the sale of digital fingerprints, either stolen or generated, helping threat actors bypass website protection systems and hijack accounts.
The platform didn’t reside on the dark web, as is typical for this kind of market. Instead, it used an invite-only model that was supposed to filter out law enforcement agents while keeping access to the platform for everyone else simple.
Kaspersky was the first to report about Genesis in April 2019, when the platform offered roughly 60,000 digital fingerprints for sale at a cost between $5 and $200.
Yesterday, a globally coordinated law enforcement operation named “Operation Cookie Monster” took down the criminal market. By that point, it was listing 2 million digital fingerprints, cookies, saved logins, and autofill form data for as little as $0.7 each.
The police have seized the Genesis servers and carried out multiple property searches in 17 countries, resulting in 119 arrests of individuals involved in its operation, prolific sellers, and high-profile buyers.
The Dutch police have set up a page that hosts an online checking tool where people can enter their email to see if their data was put up for sale on Genesis.
All you need to do to check yourself is enter your email address on the checker, and if the service finds a match, it will respond with an email. If no email is received within a few minutes, it means that your digital fingerprint was not in Genesis’ database.
If you receive a confirmation that your data was sold on Genesis, it does not necessarily mean you were compromised. However, you should still take immediate action out of an abundance of caution.
The standard actions to take in this case is to change your passwords for all your online accounts and use something long and unique, enable multi-factor authentication wherever possible, update your security questions, and closely monitor all activity on your online and bank accounts for any suspicious activity.