Over 25 million email accounts and weakly protected passwords have been compromised in the latest breach involving three separate forums associated with Mail.Ru.
In a recent data breach attack, more than 25 million email accounts and passwords that are easy to crack have been stolen from three different game-related forums. The forums are associated with the Russian internet giant Mail.Ru.
Two of the data breach attacks were carried out in July and August. It has been reported that more than half the number of leaked accounts were stolen from a successful data breach attack on a single forum. Around 13 million accounts were stolen from cfire.mail.ru, another 9 million from parapa.mail.ru, and close to 3 million accounts were stolen from tanks.mail.ru.
The attackers behind these hacks are unknown. They are believed to have carried out these attacks by exploiting known SQL injection vulnerabilities in the vBulletin forum software.
The news on this attack was provided by LeakdSource, the breach notification site, in early August. They were able to obtain a database of the breached forums and added them to their database of leaked sites. The data stolen by hackers includes email addresses, usernames, date of births, and of course, passwords.
LeakedSource has revealed that more than half of these passwords were easy to crack for the hackers, since they were encrypted by the out-dated technology of MD5 algorithms. There are a host of readily available cracking tools that allow hackers to crack weakly protected passwords.
Moreover, the breach notification site also revealed that the four most common passwords were some permutation and combination of ‘12345678’. Using such weak passwords would have only aided the hackers in their task of cracking the passwords.
This is another instance of web services being attacked due to out-dated and weak technology protecting their forums. The recent DLH.net and Epic Games forums were attacked in a similar fashion, where the hackers exploited SQL injection vulnerabilities in the vBulletin software as well. It is difficult to understand why major web services take protection so casually and with such a careless approach.
Speaking of Mail.Ru, this isn’t the first time they have been breached. This year, in June, they admitted their company, also the owner of Russian social networking website VK.com, was also breached, albeit a few years ago when their security systems were not as secure.
When asked to comment on this recent breach, their spokesperson, Nataliya Bogdanovich, said that the passwords are from forums of game projects from years ago. She played down the attack further, saying that the passwords have not been in use for years, and that the company now protects its users with a secure integrated authorization system.
But hey, if you’re a gamer, don’t wait for somebody else to protect you, get yourself a VPN suited to gaming to add another layer of security. Also, don’t forget to use good password management.