Accounts for over 100 million users of popular social media site VK.com are being traded on the digital underground.
Breach notification site LeakedSource obtained the data and published an analysis on Sunday. The hacker known as Peace, meanwhile, listed the data for sale on a dark web marketplace.
VKontakte, heavily inspired by Facebook, is particularly popular in Russia, and has all the same features one might expect, including messaging, profiles, photo galleries, like buttons, and more. The site was founded by Pavel Durov, who sold his stake in VK and created the messaging app Telegram. As of 2014 VK had 100 million users. Peace provided experts with a dataset containing a total of 100,544,934 records, and LeakedSource provided a smaller sample for verification purposes. The data contains first and last names, email address, phone numbers and passwords.
According to Peace, the passwords were already in plain text when the site was hacked, and were not cracked at a later date. Peace is selling the data for 1 bitcoin, or around $570 at today's exchange rates. Out of 100 randomly selected email addresses from the larger dataset, 92 corresponded to active accounts on the site. A Russian friend confirmed that the password was correct.
While many of phone numbers were genuine, not all of users had numbers listed. At the time of writing, a phone number is required upon registration, but that was not always the case. Indeed, according to Peace, the site was hacked sometime between 2011 and 2013, although exactly when is unclear. Peace claimed to have access to another 71 million accounts, but decided not to sell them yet.
LeakedSource wrote on its blog that the data was provided by someone who used the alias “Tessa88.” This is the same pseudonym that came up around the recent proliferation of user data from MySpace. According to LeakedSource's analysis, the most popular password in the dataset was “123456,” with 709,067 appearances. Many other passwords were predictable, including “qwerty,” “123123,” and “qwertyuiop.”
The vast majority of email addresses, according to LeakedSource, use the “@mail.ru” domain, with 41,132,524. Other Russian services dominate the list of top email domains. Neither Durov from Telegram nor the press contact for VK replied to a request for comment.
The lesson: Huge datadumps of email addresses and passwords continue to surface. Again, the main lesson from all of these hacks is that users have to create a unique password for every site. This shouldn't be seen as a fancy, additional security step, but a fundamental one to stop hackers getting into different accounts. When the most popular sites on the internet, and the ones that hold our most personal information, are being breached, proper password use is a must.
