A hacker has put up for sale 100,544,934 records he claims were stolen from VK.com, a Russian-based social network. This is the same hacker who had previously sold data dumps from MySpace, LinkedIn, Tumblr, and Fling.com.
Named Peace (or Peace_of_mind), the hacker is asking for 1 Bitcoin (~$570) for the entire dataset, which is available for sale on The Real Deal Dark Web marketplace.
Data breach search engine service LeakedSource has got hold of the data from one of the people who bought it. The company has analyzed the dump's contents and has added it to its service. Users can use their search engine and see if their data was compromised.
VK.com stored passwords in cleartext
According to the company's experts, the data dump contains information such as email addresses, first name, last name, location information, phone numbers, sometimes a secondary email, and in all cases a cleartext password.
As of now, nobody knows when VK.com was hacked and this data stolen, but if VK.com still stores passwords in cleartext today, this should be a warning sign for its users.
All the LinkedIn, MySpace, and Tumblr breaches are believed to have taken place between 2012 and 2013, when some sites did not practice up-to-par Web security policies, such as hashing and salting passwords.
Below is a breakdown of the leaked data, with a list of top 25 most popular passwords, top 25 most popular email domains, and a screenshot of Peace's VK.com listing.
Rank | Password | Frequency |
---|---|---|
1 | 123456 | 709,067 |
2 | 123456789 | 416,591 |
3 | qwerty | 291,645 |
4 | 111111 | 189,151 |
5 | 1234567890 | 156,614 |
6 | 1234567 | 141,620 |
7 | 12345678 | 107,799 |
8 | 123321 | 93,048 |
9 | 000000 | 91,981 |
10 | 123123 | 89,461 |
11 | 7777777 | 87,022 |
12 | qwertyuiop | 77,256 |
13 | 666666 | 77,048 |
14 | 123qwe | 68,800 |
15 | 555555 | 66,208 |
16 | zxcvbnm | 64,066 |
17 | 1q2w3e | 62,903 |
18 | gfhjkm | 57,386 |
19 | qazwsx | 56,465 |
20 | 1q2w3e4r | 55,251 |
21 | 654321 | 51,680 |
22 | 987654321 | 50,306 |
23 | 121212 | 44,652 |
24 | zxcvbn | 44,209 |
25 | 777777 | 42,279 |
Rank | Email Domain | Frequency |
---|---|---|
1 | @mail.ru | 41,132,524 |
2 | NONE | 21,877,927 |
3 | @yandex.ru | 11,604,169 |
4 | @rambler.ru | 7,416,993 |
5 | @bk.ru | 2,183,690 |
6 | @gmail.com | 2,033,429 |
7 | @list.ru | 1,586,503 |
8 | @ukr.net | 1,509,641 |
9 | @inbox.ru | 1,411,841 |
10 | @yahoo.com | 586,902 |
11 | @i.ua | 523,155 |
12 | @hotmail.com | 522,182 |
13 | @ya.ru | 518,710 |
14 | @bigmir.net | 413,599 |
15 | @yandex.ua | 319,155 |
16 | @meta.ua | 308,771 |
17 | @tut.by | 227,743 |
18 | @e-mail.ru | 147,319 |
19 | @pochta.ru | 138,758 |
20 | @qip.ru | 123,094 |
21 | @inbox.lv | 106,310 |
22 | @vkontakte.ru | 105,614 |
23 | @yndex.ru | 94,643 |
24 | @e1.ru | 84,581 |
25 | @meil.ru | 82,608 |