Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Stolen debit and credit card details of almost 85,000 Britons available on 'brazen' online database

Unlike other similar sites, Bestvalid operates openly on the internet and can be accessed by anyone

Lizzie Dearden
Saturday 13 February 2016 07:12 EST
It was unclear how the site accessed the details but recent hacks have compromised information held by several large companies in the UK
It was unclear how the site accessed the details but recent hacks have compromised information held by several large companies in the UK (Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Debit and credit card details stolen from almost 85,000 unsuspecting Brits are available to buy online in a “brazen” criminal database.

For a $20 (£14) registration fee, anyone can access the numbers, expiration dates and names on more than a million cards around the world, alongside the names, addresses and even phone numbers of their owners.

The existence of Bestvalid.cc was first revealed by The Times, who alerted the National Crime Agency and MPs, but it was still online on Saturday.

Anyone can create an account to access stolen personal details.
Anyone can create an account to access stolen personal details.

After registering with a gibberish username and password, the Independent was able to access the database within minutes.

The website looks like any other business, complete with a FAQs page, rules, terms of service and “news”, although its products are far from normal.

Users can choose cards by country, bank, name, expiration date, city and even postcode for miniscule prices that “correspond to the material quality” (sic) according to the website.

A quick scan of the countries on offer included nations as diverse as the US, China, Greece, Argentina, India, Taiwan, Denmark, the Bahamas, Australia and Zimbabwe.

A search for the United Kingdom revealed 84,570 results - 78,318 debit, 6,239 credit and a handful of charge cards.

Redacted results returned for a search of UK card details on Bestvalid's criminal database
Redacted results returned for a search of UK card details on Bestvalid's criminal database

Barclays, Nationwide and Natwest were among the popular banks listed in packages of stolen information mostly costing between $7 (£5) and $9 (£6) each.

The Times found details belonging to a former senior adviser to the Queen as well as from doctors, lawyers, bankers and other professionals on the database.

With the permission of one of the victims, Laia Humbert-Vidan, the newspaper purchased her stolen information using bitcoin.

The radiotherapy physicist, from London, said that she felt violated after seeing her private details appear on Bestvalid.

“I don’t feel like the police are able to protect anyone from online fraud,” she added. “If they were, these types of sites would not exist in the first place.”

Five people have been arrested in connection with October's attack on Talktalk, which saw the personal details of 157,000 customers accessed
Five people have been arrested in connection with October's attack on Talktalk, which saw the personal details of 157,000 customers accessed (Getty)

The website is believed to have been operating since June last year, despite the Government’s continuing fight against online fraud and investigations into the Carphone Warehouse and TalkTalk hacks, which have seen five suspects arrested so far.

The .cc domain is the country code for the Cocos Islands, an Australian territory in the Indian Ocean with just 600 inhabitants. It is reportedly used by several cycling clubs, Catholic and Christian churches because of the letters' associations, as well as in contested "Turkish Republic of Northern Cyprus".

Daniel Cuthbert, the chief operating officer of information security firm Sensepost, told The Times that Bestvalid was one of the biggest sites of its kind.

“Most illegal card emporiums are on the dark web, or they require a customer to be vetted or pay a fee to enter,” he added.

“What’s interesting about Bestvalid is that they’ve decided to operate on the open web…It’s completely brazen.”

A spokesperson for the NCA, which is responsible for fighting cyber crime and fraud in the UK, told the Independent he could not confirm whether the site was under investigation.

“The NCA, alongside UK and international law enforcement partners and the private sector, are working to identify and as appropriate disrupt websites selling compromised card data,” he said.

“We will work closely with partners of the newly established Home Office Joint Fraud Task Force to strengthen the response.

“This may include the provision of information to the appropriate authorities of countries hosting the server.

“As part of a prevention approach, alerts to financial institutions providing the details of compromised cards will be considered.”

Anyone who believes they are a victim should report to Action Fraud by going to its website here.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in