The data includes email addresses, plain text passwords, phone numbers, and names.
Accounts for over 100 million users of popular social media site VK.com are being traded on the digital underground.
Breach notification site LeakedSource obtained the data and published an analysis on Sunday. The hacker known as Peace, meanwhile, listed the data for sale on a dark web marketplace.
VK, heavily inspired by Facebook, is particularly popular in Russia, and has all the same features one might expect, including messaging, profiles, photo galleries, like buttons, and more. The site was founded by Pavel Durov, who sold his stake in VK and created the messaging app Telegram. As of 2014 VK had 100 million users, according to TechCrunch.
Peace provided Motherboard with a dataset containing a total of 100,544,934 records, and LeakedSource provided a smaller sample for verification purposes. The data contains first and last names, email address, phone numbers and passwords.
According to Peace, the passwords were already in plain text when the site was hacked, and were not cracked at a later date. Peace is selling the data for 1 bitcoin, or around $570 at today's exchange rates.
Out of 100 randomly selected email addresses from the larger dataset, 92 corresponded to active accounts on the site, Motherboard found. A Russian friend contacted by Motherboard confirmed that the password was correct.
While many of phone numbers were genuine, not all of the users had numbers listed. At the time of writing, a phone number is required upon registration, but that was not always the case.
Indeed, according to Peace, the site was hacked sometime between 2011 and 2013, although exactly when is unclear. Peace claimed to have access to another 71 million accounts, but decided not to sell them yet.
LeakedSource wrote on its blog that the data was provided by someone who used the alias "Tessa88." This is the same pseudonym that came up around the recent proliferation of user data from MySpace.
According to LeakedSource's analysis, the most popular password in the dataset was "123456," with 709,067 appearances. Many other passwords were predictable, including "qwerty," "123123," and "qwertyuiop."
The vast majority of email addresses, according to LeakedSource, use the "@mail.ru" domain, with 41,132,524. Other Russian services dominate the list of top email domains.
Durov declined to comment.
The lesson: Huge datadumps of email addresses and passwords continue to surface. Again, the main lesson from all of these hacks is that users have to create a unique password for every site. This shouldn't be seen as a fancy, additional security step, but a fundamental one to stop hackers getting into different accounts. When the most popular sites on the internet, and the ones that hold our most personal information, are being breached, proper password use is a must.
Update 6 June: A VK spokesperson denied that the site had been breached, and told Motherboard in an email that the "VK database hasn't been hacked. We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012. All users' data mentioned in this database was changed compulsorily. Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password."