A reddit user named Skillzythehacker has claimed to have compromised thousands of accounts on Dream Market, though market administrators said no Bitcoin were at risk. The attacker said of all the compromised accounts, none were using 2FA, a supposed panacea for login security issues.

Dream market admin wombat2combat released the following message:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The user /u/Skillzythehacker sent the mods of /r/Darknetmarkets a list of over 
50 login credentials [names and passwords] for dream market accounts.

After looking at them more closely we can verifiy that they are working and the
accounts are pretty old because their user IDs are between about 100k and 500k
while the latest ones [when registering a new account] are higher than 700k.

It is therefore very likely that these login credentials were obtained through a
database breach/hack.

There were already made some changes to the current dream market warnings and 
this issue will be added to them too.
- -----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJYqiTvAAoJEMPzj/CHV15DtLUP/jQ9hpsuqUg/QMcoTN35rWgI
QVIbU2rK1APMnf3QL1WAGnqcyv3u3ymh3gV2CC9HkQDOBIbgkPOk77bjMMoV3G1/
rvDdSTsNHE4pv878k/IOT6mgBuQN3h2YEPsTbuT2XVzZoI2/PX3l+Zs/TEUTNnku
KIQSkZNWPQpIr8DKPXDmGW3Zulpfgv8+1b1m2NrThZe4hTQ9LObmE9gboeI6keRs
AVkrfG2ijB40ADjYWtIyj4AvxdvsGotL2p/QnrRfaDX8dfJWbpEeK/KEg0zwdVqe
VnTWsRoHCCb65IJ3It8YFIKhmDZRH27ulT4nCtyPu8grRRhQn+pZYP8wj0VBsOsa
raHNko4cJBo4y/BQjEfYHWjKO485w+RF1NRNfDuH8sj86zV2NpERtGCD9HZJ3hdk
07EN4/tuJbRlhImIJCx6I+Q7YCDtc2eKhRqy5IX2qwEspZvhUiDELVSvwquW2Hoz
OYmvkrMgao0Tdk4kaefk6VOXi+ClxK6VNYAvHWN//mylwOk4Av7Z4Kg5I33N1tfS
QY4bh3e7JwkQ/LHJghhRSeeTM5AAzFOPluLeXxx6zQf74f7fQYDfRJd/LRq2yp7H
MDV91mS/ID5814UIC0aNXTBfUzn7+bxJus0yJKTjGNiZBpE2SuoKsWARX03En9sn
pMtjAJ+DD5BZBcC+oiu5
=b1Lf
- -----END PGP SIGNATURE-----

The attacker is said to have provided proof he could log into various accounts, leading users to speculate that user info was stored with weak or no encryption. (archived)