Over 28 Million Records Stolen In Breach of Latin American Social Network Taringa (thehackernews.com) 16
Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."
"...there is no concrete evidence..." (Score:2)
Re: (Score:1)
Most records are made of vinyl, not concrete...
Were they all 'Los Lobos' and 'Selena'? (Score:2)
Were they all 'Los Lobos' and 'Selena'?
Or were other records stolen?
Salt (Score:2)
Does this mean they weren't using a salt value?
Even with md5, I can't imagine that it would be that easy to crack when salting with a different salt for each password as best practices states but I have never looked into it closely so I am wondering...
Re: (Score:2)
Also, from TFA:
We've made a massive password reset strategy and also increased the encryption of the passwords from MD5 to SHA256. We've also been in contact with our community via our customer support team," a Taringa spokesperson told The Hacker News.
Why not go with a SHA512 salt and a SHA512 hash while at it and "upgrading" security? I do not see the load on the system being raised that much because of that. Anyway, that's what I use.
And no mention of salts anywhere in TFA.
Re: (Score:2)
Salting won't stop a rainbow table,
Hmm.. that is not my understanding although I might be wrong: Rainbow tables to crack WPA/WPA2 password are unique to the name of the access point (AP) because the AP name is used as a salt in the hash. You can't reuse the same rainbow table when the AP name, e.g. the salt is different. You need a rainbow table for every AP name.
since md5s usually have to be stored next to their salts, or they're useless.
I also salt the salt with a unique hard coded formula residing in the application binary code to try to mitigate that a bit ;-)
Salts prevent knowing someone else's hash that happens to be equal to yours, from making you able to know the other guy is using your password. They make cracking of each individual hash require effort, rather than being able to hunt for reused passwords.
Agreed,
Latin Americans have records? (Score:1)
Thought they were all undocumented.
Just in time for the end of DACA (Score:2)