Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 28 Million Records Stolen In Breach of Latin American Social Network Taringa (thehackernews.com)

Posted by BeauHD on from the ay-caramba dept.

Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

16 comments

  1. "...there is no concrete evidence..." by turkeydance · · Score: 1

    as in: we don't know.

    1. Re:"...there is no concrete evidence..." by fustakrakich · · Score: 1

      Most records are made of vinyl, not concrete...

      --
      “He’s not deformed, he’s just drunk!”
  2. Were they all 'Los Lobos' and 'Selena'? by tlambert · · Score: 1

    Were they all 'Los Lobos' and 'Selena'?

    Or were other records stolen?

    1. Re:Were they all 'Los Lobos' and 'Selena'? by Anonymous Coward · · Score: 0

      Menudo as well, thankfully

  3. never heard of it by Anonymous Coward · · Score: 0

    is this in central america? one of those banana republicans?

  4. Salt by ls671 · · Score: 1

    Does this mean they weren't using a salt value?

    Even with md5, I can't imagine that it would be that easy to crack when salting with a different salt for each password as best practices states but I have never looked into it closely so I am wondering...

    --
    Everything I write is lies, read between the lines.
    1. Re:Salt by ls671 · · Score: 1

      Also, from TFA:

      We've made a massive password reset strategy and also increased the encryption of the passwords from MD5 to SHA256. We've also been in contact with our community via our customer support team," a Taringa spokesperson told The Hacker News.

      Why not go with a SHA512 salt and a SHA512 hash while at it and "upgrading" security? I do not see the load on the system being raised that much because of that. Anyway, that's what I use.

      And no mention of salts anywhere in TFA.

      --
      Everything I write is lies, read between the lines.
    2. Re:Salt by Anonymous Coward · · Score: 0

      Does this mean they weren't using a salt value?

      Even with md5, I can't imagine that it would be that easy to crack when salting with a different salt for each password as best practices states but I have never looked into it closely so I am wondering...

      Salting won't stop a rainbow table, since md5s usually have to be stored next to their salts, or they're useless.

      Salts prevent knowing someone else's hash that happens to be equal to yours, from making you able to know the other guy is using your password. They make cracking of each individual hash require effort, rather than being able to hunt for reused passwords.

      But if the hash is weak and you can get a preimage, you're screwed, no matter how much salt you add.

    3. Re:Salt by ls671 · · Score: 1

      Salting won't stop a rainbow table,

      Hmm.. that is not my understanding although I might be wrong: Rainbow tables to crack WPA/WPA2 password are unique to the name of the access point (AP) because the AP name is used as a salt in the hash. You can't reuse the same rainbow table when the AP name, e.g. the salt is different. You need a rainbow table for every AP name.

      since md5s usually have to be stored next to their salts, or they're useless.

      I also salt the salt with a unique hard coded formula residing in the application binary code to try to mitigate that a bit ;-)

      Salts prevent knowing someone else's hash that happens to be equal to yours, from making you able to know the other guy is using your password. They make cracking of each individual hash require effort, rather than being able to hunt for reused passwords.

      Agreed,

      --
      Everything I write is lies, read between the lines.
    4. Re:Salt by Anonymous Coward · · Score: 0

      IIRC there are rainbow tables around for SSIDs such as "Netgear" and "Linksys", which is why those now use some random garbage at the end of the SSID these days (sometimes part of the MAC address, etc.)

  5. Latin Americans have records? by Anonymous Coward · · Score: 1

    Thought they were all undocumented.

  6. I'm old.. by Anonymous Coward · · Score: 0

    I read the title and thought "Geez, how many trucks did they have to bring."

  7. Just in time for the end of DACA by TheOuterLinux · · Score: 1

    Hmmm...

  8. real talk by Anonymous Coward · · Score: 0

    So I get that this is in Hacker News, and the real true purpose of this article is to prompt the hoardes of privileged fake nerds to engage in spreading the dogma of password hashing by stimulating their need to feel superior to other privileged fake nerds. But can someone, preferably with actual security credentials, explain how passwords are somehow more sensitive than anything else in a database? I mean other than the fact that the lusers are probably not following their own best practices and are reusing their password elsewhere, other than that, the security, as far as I can tell, is just as important for everything else. If they gained access via a copy of a backup, well then they have purchase history, private messages, and whatever else information you are storing in that database. IOW the information that you are securing with the password is also in the database. Additionally, if they ever were to gain write access, i.e. by compromising the DB password, then they could do things like granting themselves 'administrator' privileges, making purchases, or whatever is within the application the DB is for.

    So, other than the dogma and the brainwashing, why is there always such a big deal made about passwords?

    1. Re: real talk by Anonymous Coward · · Score: 0

      Why are you even on this site ?

      Are there more important things than passwords ? Probably. Can 28 million logins get you access to things beyond those passwords ? Probably.

  9. MD5 broken used in wrong context by Anonymous Coward · · Score: 0

    MD5 is broken as hash function in the sense that it is easily possible to find two messages having the same hash (takes few seconds on a laptop). This doesn't have to do anything with someone being able to crack most passwords within few days. Also with the unbroken SHA3 they would have done this, as this is done by simply checking for a big list of possible passwords one by one if the hash belongs to the password of one of the users. You can do this attack, because cryptographic hashes have to be efficient for their intended purpose, but are unfortunately abused by security-unaware programmers, who did not even read the section "Password verification" on the wikipedia page for cryptographic hash functions.