Russia’s largest social network hacked – 100 million clear-text passwords stolen
Mon 6 Jun 2016
Russia’s largest social network, vk.com, has been the victim of a data breach which has leaked 100 million clear-text passwords from the community’s user-base of over 280 million accounts.
The breach was reported by LeakedSource, which has added the 100,544,934 records to its database of 1.8 billion purloined records, and has provided a searchable interface for the data, with the option to request removal free of charge.
Although LeakedSource provides facilities to remove users from the database, the site claims that its automated system to provide the service will not be available until next week, and so presumably requests must wait upon a personal response.
The fact that the passwords were stored as plain-text without encryption, hashing and salting, is quite shocking for a community of this size and scope. Of the content made available by the hack, the site says:
‘Each record may contain an email address, a first and last name, a location (usually city), a phone number, a visible password, and sometimes a second email address.’
The database was provided to LeakedSource by the user ‘[email protected]’, who also apparently provided the site with 360,213,024 MySpace login details at the end of last month. In that case the passwords were encrypted, though they were not salted, and hence far more susceptible to decryption. The lack of salting also made it possible for researchers to decrypt 167 million stolen LinkedIn details (recently offered for sale) in a mere three days.
LeakedSource have provided a table of the top 55 ‘dumb-as-hell’ passwords for the breach, the most obvious of which occur with incredible frequency. Topping the list are our old friends ‘123456’ (709,067 times), ‘123456789’ (416,591 times) and the classic ‘qwerty’ (291,645 times). Those who have sneakily moved the all-too-obvious ‘qwerty’ a little further down the keyboard will be pleased to see that the analogous ‘zxcvbnm’ only registers in the breach database 64,066 times.
A little more confusing is the 33,236 times that the apparently more obscure ‘PolniyPizdec0211’ is found among the passwords, considering that it only shows up in a handful of GitHubbed data dumps prior to the VK breach.
Almost as surprising is the 24,309 times that ‘marina’ is found as a password here (in at #48). A cynical search for popular Russian actresses or models with that name provides no conclusive results that I can see, so we’ll assume that Russian users have a laudable literary bent.