Over 45 Million passwords from Verticalscope 1,000 sites leaked online

In February Verticalscope platform was hacked and more than 45 Million passwords from  1,000 websites running on it have been leaked online.

Data breaches, a never ending saga! Recently we reported a number of clamorous data breaches, hundred thousand million credentials were offered for sale in dark web. LinkedIn, mySpace, VKontakte, and Twitter are some of the companies affected by such kind of incidents.

Today we will discuss another huge amount of data leaked online, data belonging to more than 45 Million passwords from 1,000 Sites are offered for sale in the underground market.

In February Verticalscope.com and all of their domains were hacked, stolen data fueled the criminal underground.

The Verticalscope data breach would be one of the largest data breaches ever, according to data provided by the expert Troy Hunt on haveibeenpwned.com it is ranking sixth after the following ones:

1. MySpace 359,420,698 My Space Accounts.
2. LinkedIn 164,611,595 LinkedIn accounts.
3. Adobe 152,445,165 Adobe accounts.
4. VK 93,338,602 VK accounts.
5. Tumblr logo 65,469,298 Tumblr accounts.

VerticalScope company owns and operates around 480 “online communities, content portals, and e-newsletters,” after the data breach data belonging its users were offered online for sale.

“Verticalscope.com and all of their domains were hacked in February of 2016. LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data.” reported LeakedSource who obtained the dataset and included its record in a searchable archive.

The records included in this new data set contain usernames, passwords, email addresses, and IP addresses of people who are members of car, sports, and tech sites such as AutoGuide.com, Motorcycle.com and Techsupportforum.com.

“This data set contains nearly 45 million records from over 1100 websites and communities. Some of the larger domains include Techsupportforum.com MobileCampsites.com Pbnation.com and Motorcycle.com. Each record may contain an email address, a username, an IP address, one password and in some cases a second password. We added this data set to LeakedSource on April 27th 2016 but only analyzed it now.
Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale. ZDNET reporter Zack Whittaker contacted VerticalScope on our behalf and they confirmed the breach in addition to our verification from April. ” continues LeakedSource.

According to Motherboard who also reported the news, the operators behind LeakedSource were able to crack 74 percent of all the stolen passwords. The experts explained that many websites used the MD5 hashing algorithm with salting to protect passwords, too easy for them to decode roughly 33 million passwords.

In the following table there are Verticalscope Top 5 passwords, the complete data is available of the site of the popular service. The most used password on VerticalScope websites was ‘123456,’ using weak passwords is a very bad habit.

At the time I was writing is still unknown the identity of the culprit for the VerticalScope hack, this time, data weren’t provided by same actors that recently were mentioned in other data breaches.

As usual, let me suggest to use strong passwords, avoiding to share the account credentials on multiple web services and enable two-factor authentication every time you can.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Verticalscope, data breach)