Hackers Make Off With Over 40 Million Passwords From 1,000 Sites

Usernames and passwords of more than 45 million users of forums and sites running on the Verticalscope platform are being traded online.

|
Jun 14 2016, 6:32pm

Illustration: Che Saitta-Zelterman

Hackers have stolen the personal data, including usernames, passwords, email addresses, and IP addresses of more than 45 million people who are members of car, sports, and tech sites such as AutoGuide.com, Motorcycle.com and Techsupportforum.com, according to the data breach notificaton site LeakedSource.

"This data set contains nearly 45 million records from over 1100 websites and communities," LeakedSource wrote in a blog post published on Tuesday. "Each record may contain an email address, a username, an IP address, one password and in some cases a second password."

All the sites that were victim of this hack run on a platform provided by VerticalScope, a Canadian company that owns and operates around 480 "online communities, content portals, and e-newsletters," according to the company's official website.

VerticalScope's vice president of corporate development Jerry Orban seemed to confirm the data breach on Tuesday, telling Motherboard in an emailed statement that the company is "aware of the possible issue," and that it's investigating and collecting data to provide it to law enforcement.

"This data set contains nearly 45 million records from over 1100 websites and communities."

"We believe that any potential breach is limited to usernames, userids, email addresses, and encrypted passwords of our users," Orban wrote.

But one of the operators of LeakedSource, a website that's made a name for itself in the last few weeks for hosting a seemingly endless series of big-name hacks like the ones against LinkedIn, MySpace, and VKontakte, said that the majority of the passwords are easy to crack and be revealed. In fact, the operator told Motherboard that they were able to crack 74 percent of all the stolen passwords, which amounts to roughly 33 million, due to the fact that most of the sites used an "insufficient" and weak algorithm—known as MD5—to hash and encode the passwords.

The most used passwords on VerticalScope's websites, according to LeakedSource's analysis of the hacked data.

If the numbers are correct, this would be one of the largest data breaches ever, ranking sixth on the data breach awareness site haveibeenpwned.com, which collects data breaches and notifies users when their records have been compromised.

"Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale," LeakedSource said.

VerticalScope's Orban did not answer other more specific questions on the extent of the breach and on how the company protects its users' data. In the statement, however, he added that "we are reviewing our security policies and practices and [...] implementing security changes related to our forum password strength and password expiration policies across certain forum communities."

It's unclear who hacked VerticalScope. The LeakedSource operator said they didn't know who the culprits were, but said the breach dates back to February 2016. Peace, a cybercriminal who's known for selling hacked data, also said he heard of the breach at the time and has seen the data being traded online, but didn't know who was responsible.

"[VerticalScope] got raped. I think [someone] rooted the server too [and] got access to a shit load of [databases]," he told Motherboard in an online chat.

The lesson: As with all the recent big name data breaches, there are two lessons here, one for the hacked company, and one for the users. VerticalScope should have used better processes and mechanisms to protect the passwords, making them harder to crack even in the event of a data breach.

Users of the countless websites and forums run by VerticalScope, should change their passwords and make sure they're not using that same password and username or email address combination somewhere else. In that case, they should change it immediately. And once again, and this is good advice for everyone: We should all really stop reusing passwords.

Read previous installments of Another Day, Another Hack here.