DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

2016 W-2 data up for sale on the dark web (updated)

Posted on February 19, 2017 by Dissent

As regular readers know by now, DataBreaches.net has been compiling reported instances of W-2 phishing scams. As part of that investigation, I decided to take a quick look today at some dark net marketplaces to see if any data were up for sale. Brian Krebs had reported on this issue in January after finding a dedicated marketplace. I decided to check some others.

Within minutes, I found listings for 2016 W-2 data, although it is not clear from the listings where the data are from or how they were obtained. Here are some of the listings:

2016 W-2 data up for sale

 

2016 W-2 data up for sale
2016 W-2 data up for sale

DataBreaches.net attempted to find out whether the data in the first two listings might be from any of the known W-2 incidents. One vendor responded that most of the ones for sale are from Florida, while the rest are from Hawaii, North Carolina, South Carolina, and California. DataBreaches.net has reported on phishing incidents in schools in most of those states already, and is trying to obtain additional details from the vendor. The second vendor stated that all of his listings are from just one state, and I’m trying to find out which one. I’ve asked both vendors whether they’ll tell me if any are schools. 

The third listing linked to a sample with an unredacted W-2 form. The employer was not a firm that has reported having any breach this year, and an attempt to contact the employer was unsuccessful as the phone number obtained in a Google search has been disconnected.

Similarly, DataBreaches.net found another listing that is not being posted on this site just yet  because the sample image came from a college in Florida that has not disclosed any W-2 incident this year. DataBreaches.net called the college and left a detailed message with their campus security about the concern and offered to send them the information on the marketplace listing and the partial employee information that was visible in the listing. Although some of the information in the sample W-2 was redacted, DataBreaches.net was able to track down the employee whose W-2 this would be. The employee confirmed that the data were his data but because he admitted having a copy of his W-2 on his personal device, it’s still not clear whether there was a compromise at the college or a compromise of just the individual employee.

This post will be updated if more information becomes available.

Update 1: The vendor who indicated that all W-2’s were from one state indicated that the state was Florida, and that the source was companies (not schools).

Update 2, Feb. 20: The employee of the Florida college that I’m not naming at this time contacted me to say that he had checked and there was no copy of the W-2 on his personal devices. This morning, I spoke with the CIO of the college who had called me in response to my message yesterday, and they will be investigating. This post will be updated once they complete their investigation and let me know whether it appears that they have had a breach or not.

Update 3, March 6: See more about the college’s breach in this post.

Category: Breach IncidentsID TheftPhishingU.S.

Post navigation

← Cleveland Food Bank Loses Personal Data for Dozens of Clients
OCR investigating CoPilot Provider Support Services breach; former employee lodged complaint →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.