Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



100 Million Passwords For Sale From Russian Social Network VK

Last month it was LinkedIn (117 million passwords) and MySpace (427 million passwords). This weekend the same hacker, [email protected], made available a further 100 million password credentials stolen from Russian social media site VK.

Last month it was LinkedIn (117 million passwords) and MySpace (427 million passwords). This weekend the same hacker, [email protected], made available a further 100 million password credentials stolen from Russian social media site VK. He claims to have a further 70 million accounts but is not yet releasing the remainder.

The VK details were obtained some time between 2011 and 2013, and would consequently seem to represent almost all VK members at the time. It is likely that this happened while the organization was still headed by founder Pavel Durov. In 2014, under pressure from a Kremlin Internet crackdown, he sold his shares to the group and left Russia; later founding the encrypted chat app Telegram. At the time of writing, Durov has made no comment about the VK leak on his Twitter account.

The hacker is selling the database on the dark web site The real Deal for just 1 bitcoin (currently just under $600). He asked for 5 bitcoins for his LinkedIn dataset – suggesting that criminals would consider LinkedIn users potentially more valuable than VK users.

Public news of the leak first appeared on LeakedSource, a repository of hacked credentials. LeakedSource says that the database was “provided to us by a user who goes by the alias ‘[email protected]’” It says nothing about how the hacker might have obtained the details, but just adds, “This data set contains 100,544,934 records. Each record may contain an email address, a first and last name, a location (usually city), a phone number, a visible password, and sometimes a second email address.”

LeakedSource does, however, provide a brief analysis of the passwords and email addresses. Unsurprisingly for a Russia-based social media site, the top four mail providers are Russian. Gmail is the fifth most popular provider. Not surprisingly, 123456 is again the most popular password, followed by 123456789 and qwerty. LeakedSource lists the top 55 passwords – all of which could be cracked within seconds if they were hashed. In this case, however, it seems as if the passwords were stored and stolen in plaintext.

VK is currently claiming that it has not been hacked. In a statement it said, “VK database hasn’t been hacked. We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily. Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”

Researchers are suggesting that this is not so. Motherboard reports, “Out of 100 randomly selected email addresses… 92 corresponded to active accounts on the site, Motherboard found. A Russian friend contacted by Motherboard confirmed that the password was correct.”

Advertisement. Scroll to continue reading.

On June 1, the FBI warned that the LinkedIn, MySpace and Tumblr credentials are fueling an extortion campaign demanding payment of between 2 and 5 bitcoins. One example it quotes says, “Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.” 

VK users – especially those with live accounts – should now expect something similar.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...