Imagine if your Facebook password, your email address, and phone number got leaked. Imagine it also happened to 171 million other people at the same time. That would be pretty bad, to say the least, right?
For more than 171 million users of the giant Russian social media service VK, this is a reality.
The hack, which emerged publicly Sunday night, contains the names, locations, email addressess, unencrypted VK passwords, and phone numbers of 171 million users, which by VK's own accounting is almost half the service's user base. The hackers are apparently going by the alias "Tessa88."
According to crosschecks run by ZDNet and Motherboard, the data appears to be legit. While VK (short for its original name, Vkontakte) has yet to respond to my request for comment, a rep for the company told Motherboard that "VK database hasn’t been hacked."
"We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012," they wrote to the site. "All users’ data mentioned in this database was changed compulsorily."
Of course, even if that is true, leaks of passwords can be damaging for people who reuse those passwords on other sites. Facebook CEO Mark Zuckerberg for example just had his Twitter and Pinterest accounts hacked, allegedly as a result of the leak of his password in the massive LinkedIn hack years ago.
Complicating things, a large chunk of the information, though not the entire database, is for sale. Information on 100 million accounts is being sold at the cost of a single bitcoin, which is currently worth around $580.
LeakedSource, a site that hosts and analyzes various hacked databases, also received a copy of part of the data from Tessa88. They say they have information about 100,544,934 accounts, and that their analysis reveals a remarkable number of really, really bad passwords. How many? Supposedly, 709,067 accounts were using "123456" as a password, 416,591 were using "123456789." Strangely, no Russian words appear in the site's analysis of the most frequently ruses passwords, not even the Russian translation of "password":
Aside from some pretty bad user security, the big issue here seems to be VK's disregard for security in general.
Even if this is an old database, we're talking about a company with a founder who was forced out and claims the site is now run by Russian president Vladimir Putin's lackeys. VK also allows user photos to be scraped and searched by face recognition apps such as FindFace, which threatens its users public anonymity. The site was also used to run DDoS attacks.
Despite all that, VK remains massively popular: the web-ranking service Alexa says it's the third most-visited site in Russia, after Google and the Russian search engine Yandex. And odds are it'll keep growing, because the network effect of being Russia's biggest social network works in its favor. That means more Russian-speaking users giving information to a tech company with a terrible track record on protecting their information.
So, if you've got a VK account, be careful about putting anything too damning on there.
Ethan Chiel is a reporter for Fusion, writing mostly about the internet and technology. You can (and should) email him at firstname.lastname@example.org