The Hacker News — Cyber Security, Hacking, Technology News

Exclusive — If you have an account on Taringa, also known as "The Latin American Reddit," your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users.

Taringa is a popluar social network geared toward Latin American users, who create and share thousands of posts every day on general interest topics like life hacks, tutorials, recipes, reviews, and art.

The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users.

The hashed passwords use an ageing algorithm called MD5 – which has been considered outdated even before 2012 – that can easily be cracked, making Taringa users open to hackers.

Wanna know how weak is MD5?, LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days.

LeakBase has shared a dump of 4.5 million Taringa users with The Hacker News to help us verify the authenticity of the leaked database.

Using email addresses in the dump, we contacted a few random Taringa users with their plain text passwords, who acknowledged the authenticity of their credentials.

The data breach reportedly occurred last month, and the company then alerted its users via a blog post, sharing more information about the incident.

"It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says.

"At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

To protect its users, Taringa is currently sending a password reset link via an email to its users as soon as they access their account with an old password.
One of the contacted users has also shared a screenshot of the notice with The Hacker News, as shown above.

"We've made a massive password reset strategy and also increased the encryption of the passwords from MD5 to SHA256. We've also been in contact with our community via our customer support team," a Taringa spokesperson told The Hacker News.

Leaked Database Analysis

Here below we have a brief analysis of the leaked database, which suggests that even after countless warnings, most people are continuously using deadly-simple passwords to safeguard their most sensitive data.

As you can see in the image given below, LeakBase team managed to crack 26,939,351 out of 28,722,877 passwords hashed using the MD5 algorithm, out of which over 15 Million were unique passwords.

The vast majority of the cracked passwords were alpha and lower case alpha and did not contain any special characters or symbols.


Here below we have the list of most popular/common passwords chosen by Taringa users that also includes top worst passwords such as 123456789, 123456, 1234567890, 000000, 12345, and 12345678.

The most popular length of the password was six characters long, followed closely by eight characters, nine and ten characters. Expectedly, the percentages drop drastically as you go higher in length.


Besides the cracked passwords, LeakBase also take a look at the email addresses contained in the leaked data dump, and the most common email domains are as follows:

But, are Taringa users entirely responsible for choosing weak passwords?

Not completely. It's also the fault of the company, who failed to enforce a strong password policy on their users, eventually allowing them to sign up with weak passwords.

After data breaches, the organisations tend to blame the end users for poor password security, but they forget to provide them one.

So far, it has not been clear who is behind the attack on Taringa, neither how the attackers managed to breach into its servers.

Meanwhile, in a separate news,we reported about an unknown hacker selling personal details on more than 6 million high-profile Instagram accounts on an online website, Doxagram, after the hacker breached the Facebook-owned photo sharing service using a flaw in its API.

How to Help Protect Yourself from Data Breaches

Of course, if you are one of those potentially affected users, you are strongly recommended to change your passwords immediately.

Also, change passwords for other online accounts for which you are using the same password as for Taringa account.

Even if any website allows you to create an account with a weak password, you should always choose a complex password. Use a good password manager, if you find following best practices difficult.

Moreover, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source correctly.

Another day, another data breach.

This time a popular video sharing platform DailyMotion has allegedly been hacked and tens of millions of users information have been stolen.

Breach notification service LeakedSource announced the data breach on Monday after the company obtained 85.2 Million records from Dailymotion.

According to LeakedSource, the DailyMotion data breach appears to have taken place on October 20, 2016, which means it is possible that hackers have been circulating the data for over a month.

The stolen data consists of 85.2 Million unique email addresses and usernames and around 20 percent of the accounts (more than 18 Million users) had hashed passwords tied to them.

The passwords were protected using the Bcrypt hashing algorithm with ten rounds of rekeying, making it difficult for hackers to obtain user's actual password.

Bcrypt is a cryptographic algorithm that makes the hashing process so slow that it would literally take centuries to actual brute-force password of a user.

ZDNet received a sample of the stolen data and confirmed that the data came from the Dailymotion website, but representatives for Vivendi, the majority owner of Dailymotion did not yet respond to any comments.

If you are one of the 18 million DailyMotion users who had their hashed password leaked, you are advised to change your password on the entertainment website as well as on others where you have reused your password.

LeakedSource has added the DailyMotion stolen data to its search index, so you can check if your account has been affected.

Also use a good password manager to create complex passwords for different sites as well as remember them. We have listed some good password managers that could help you understand the importance of password manager and choose one according to your requirement.

 hash a69649f9f5a7f81ac303ea77d748c77a

“We sent an email to users with compromised accounts letting them know what to do,”

“Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.”