Over 100 Million VK.com Customer Records for Sale

Over 100 Million VK.com Customer Records for Sale

Popular Russian social network VK.com appears to have become the latest big name to suffer a major data breach, with over 100 million records including log-ins and personal information being traded on the darknet by the same black hat responsible for the sale of data from LinkedIn, Tumblr, MySpace and others.

There are 100,544,934 records in all, with each one containing “an email address, a first and last name, a location (usually city), a phone number, a visible password, and sometimes a second email address,” according to LeakedSource.

The site, which publishes details of such breaches, was given the information by a user calling themselves Tessa88@exploit.im.

“Passwords were stored in plaintext with no encryption or hashing,” it revealed. “The methods VK used for storing passwords are not what internet standards propose because hackers can now see all 100 million passwords used on the site.”

The hacker, who goes under the moniker, peace_of_mind, is selling the information on an underground site for 1 bitcoin ($570).

Various reports suggest that the data is correct. However, VK.com has hit back, claiming that it has not in fact been breached and that the data in question was stolen from individual account holders.

It sent the following statement to Motherboard:

“VK database hasn’t been hacked. We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily. Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”

The news comes on the back of revelations that similarly large data dumps are being sold by the same black hat.

LinkedIn (170m), Tumblr (65m) and MySpace (360m) were all found to have been breached – but interestingly the attacks themselves are believed to have occurred more than three years ago at the earliest.

Source: Information Security Magazine