100M ‘Russian Facebook’ Credentials For Sale

Hackers infiltrated the European social network VK.com at some point over the last several years and made off with credentials for 100 million of its users.

News of yet another years-old social media site hack surfaced over the weekend when it was learned that hackers infiltrated the European social network VK.com at some point over the last several years and made off with credentials for 100 million of its users.

Breach notification site LeakedSource touted the breach on Sunday, claiming it was selling access to information on one-third of VK’s registered users, 100,544,934 records in total. Just like last week’s MySpace breach, which it also advertised, the site is claiming a user that goes by the name “Tessa88@exploit.im” supplied the dataset.

VK-previously known as Vkontakte, is often called “Russian Facebook” because the sites share many similarities. The St. Petersburg-based service boasts 300 million registered users and roughly 100 million active users.

Screen Shot 2016-06-06 at 12.31.07 PM

According to LeakedSource, each record may contain an email address, a first and last name, a location, phone number, a visible password, and potentially a second email address, adding that the passwords were stored in plaintext, with no encryption or hashing.

The bulk of email addresses associated with the dataset come from Mail.ru, a popular Russian email service, and Yandex, Russia’s largest search engine. More concerning though are the details about the passwords. If they were indeed in plaintext it could prove troubling for the site’s users, especially if they’ve used the password for another service. If viewable in plaintext, anyone who has access to the dataset could easily determine a password without having to go to the trouble of cracking it.

According to Motherboard, a hacker named Peace is selling the data for one Bitcoin, or approximately $570, on the underground marketplace TheRealDeal. The same hacker was selling data on 427 million MySpace users last week after news about that breach came to light, for $2,800.

The breach comes in the wake of news of similar hacks of LinkedIn, MySpace, and Tumblr – hacks from years ago, but that weren’t publicized until this past month.

It’s unclear exactly when VK was hacked, but according to Motherboard, Peace claims it may have been sometime between 2011 and 2013.

Officials from VK did not immediately reply to Threatpost’s request for comment on Monday but a spokesperson for the site on Sunday told Motherboard the site had not been breached, and that any information from the dataset was at least five years old and has since been changed.

“We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily,” the spokesperson told the site, “Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”

Andrey Rogozov, VK’s Head of Development, insisted users were safe in a post to the site on Monday morning meanwhile. Rogozov claimed the logins and passwords were relevant in 2012 and at the time the site’s team took the necessary measures to protect users whose passwords could be compromised.

Rogozov did not elaborate on how the credentials may have been obtained, or if VK.com was in fact hacked but maintained that since 2012 the site has been using “secure encrypted storage,” “password hashes,” two-factor authentication and mechanisms that alert users of login attempts and account activity, Rogozov claimed.

The breach comes on the heels of a trio of recently publicized compromises, including last week’s MySpace breach, initially from 2013, a Tumblr breach, also from 2013, and a LinkedIn breach, from 2012, which have spilled information on more than 500 million users combined.

Suggested articles