Taringa hacked: More than 28 million user records stolen from popular social website

Firm confirms 'external attack that compromised the security of our databases'.

The leaked passwords were hashed with MD5 - and easily cracked Markus Spiske/Unsplash

More than 28 million records linked to Taringa, a Reddit-like social networking website popular in Latin America, have reportedly been stolen by hackers.

According to The Hacker News, a data breach notification service called LeakBase obtained a copy of the database and – upon analysis – found that it contained a total of 28,722,877 records including usernames, hashed credentials and personal email addresses.

The Taringa website claimed to have 28,511,984 registered users at the time of writing meaning that, if accurate, hackers were able to compromise the vast majority of the platform's overall userbase.

Advertisement

Passwords were reportedly encrypted with MD5, an algorithm long-known to be vulnerable to attack.

LeakBase, which charges customers for the ability to check if their details are included in hacked databases, claimed that it had already cracked 26,939,351 (93.79%) of the passwords in the trove.

There were, the service claimed, a total of 15 million unique credentials included in the database.

Impacted Taringa users confirmed the records were linked to personal profiles, The Hacker News reported after being provided with a slice of 4.5 million records. The outlet did not, however, elaborate on exactly how many people it had confirmed were included in the leak.

A notification posted to the Taringa website claimed the incident took place on 1 August 2017.

It read: "We suffered an external attack that compromised the security of our databases and the code of Taringa." It said there was no evidence that the hackers still had access to servers.

Security administrators confirmed that a password reset would be enforced for all affected users and noted that it would be bulking up encryption on new passwords.

Advertisement

"Be wary of any communication that seems to come from Taringa," it told the community. The identity of the hacker, or hackers, remains unknown.

It also remains unclear how LeakBase obtained a copy of the records. An email to the contact address listed on its website remained unanswered by the time of publication.

In a more detailed analysis of the leaked credentials, the LeakBase researchers claimed the passwords were shockingly weak – including 123456, 000000, Barcelona, metallica, qwertyuiop and Santiago. The top email domains included Hotmail, Gmail and Yahoo.

The Taringa platform is described on its website as "a virtual community where users share all kinds of information through a collaborative interaction system".

Last year, a similar breach notification website known as LeakedSource published some of the biggest leaks (in size, if not importance) known to date. Major leaks from popular online platforms impacted Yahoo, MySpace, Dropbox, VK, LinkedIn, Rambler and more.

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.