Security Experts:

100 Million Passwords For Sale From Russian Social Network VK

Last month it was LinkedIn (117 million passwords) and MySpace (427 million passwords). This weekend the same hacker, [email protected], made available a further 100 million password credentials stolen from Russian social media site VK. He claims to have a further 70 million accounts but is not yet releasing the remainder.

The VK details were obtained some time between 2011 and 2013, and would consequently seem to represent almost all VK members at the time. It is likely that this happened while the organization was still headed by founder Pavel Durov. In 2014, under pressure from a Kremlin Internet crackdown, he sold his shares to the Mail.ru group and left Russia; later founding the encrypted chat app Telegram. At the time of writing, Durov has made no comment about the VK leak on his Twitter account.

The hacker is selling the database on the dark web site The real Deal for just 1 bitcoin (currently just under $600). He asked for 5 bitcoins for his LinkedIn dataset – suggesting that criminals would consider LinkedIn users potentially more valuable than VK users.

Public news of the leak first appeared on LeakedSource, a repository of hacked credentials. LeakedSource says that the database was "provided to us by a user who goes by the alias '[email protected]'" It says nothing about how the hacker might have obtained the details, but just adds, "This data set contains 100,544,934 records. Each record may contain an email address, a first and last name, a location (usually city), a phone number, a visible password, and sometimes a second email address."

LeakedSource does, however, provide a brief analysis of the passwords and email addresses. Unsurprisingly for a Russia-based social media site, the top four mail providers are Russian. Gmail is the fifth most popular provider. Not surprisingly, 123456 is again the most popular password, followed by 123456789 and qwerty. LeakedSource lists the top 55 passwords – all of which could be cracked within seconds if they were hashed. In this case, however, it seems as if the passwords were stored and stolen in plaintext.

VK is currently claiming that it has not been hacked. In a statement it said, "VK database hasn’t been hacked. We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily. Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password."

Researchers are suggesting that this is not so. Motherboard reports, "Out of 100 randomly selected email addresses... 92 corresponded to active accounts on the site, Motherboard found. A Russian friend contacted by Motherboard confirmed that the password was correct."

On June 1, the FBI warned that the LinkedIn, MySpace and Tumblr credentials are fueling an extortion campaign demanding payment of between 2 and 5 bitcoins. One example it quotes says, "Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members." 

VK users – especially those with live accounts – should now expect something similar.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.