Russian Mega-Breach: 100 Million Plaintext Passwords Leaked
This particular case will figure among the biggest breaches involving plain-text passwords, of all time.
Details of some 98 million user accounts from Russia’s biggest website, Rambler.ru, have been leaked after a data breach that dates back to 2012.
The website is one most visited in Russia, with services spanning across search, email, news and more, which sees it described as the Russia’s equivalent of Yahoo.
Breach notification website LeakedSource broke the news earlier today after acquiring a copy of the stolen data cache. Altogether, a total of 98,167,935 user accounts turned up in the data trove. Each record of a user account contained a username/email address, the user’s password (more on this soon), an ICQ # and other internal data.
LeakedSource verified the data set with the help of a journalist who had three of her friends – who have Ramber.ru user accounts – fill in a portion of the passwords found in the breach. They turned out to be accurate, confirming the authenticity of the records.
In what can only be seen as a staggeringly irresponsible security practice, the passwords from all the accounts – nearly 100 million of them – are revealed to be plaintext passwords, with no encryption or hashing method used to safeguard them. In other words, an employee from Rambler could simply access a user’s account to see the password, in its plain text form.
In what is certain to come as depressing reading – beyond the revelation of plain text passwords – the most commonly used password turned out to be “asdasd”, while the second most popular password was a variation of the first, as “asdasd123”. Predictably, “123456” rounded up the top 3 most used passwords in a website that is notable for its email service, much like Yahoomail is a part of Yahoo.
The entire cache from the leak is now included in its searchable database, LeakedSource added.
Images from Shutterstock.