Latin American social networking site Taringa has suffered a database breach that has resulted in the spill of more than 28 million records.
Usernames, hashed passwords (using the weak MD5 algorithm) and personal email addresses have been exposed by the breach. Argentinia-based Taringa’s breach statement (in Spanish) can be found here. Neither phone numbers nor addresses from Bitcoin wallets associated with a Taringa program were exposed by the breach, according to the Reddit-like social networking site.
LeakBase claims that it has already cracked 94 per cent of password hashes exposed in the latest dumps.
In response, Taringa – which has users all over the Spanish-speaking world – has applied a password reset as well as urging consumers to review their use of login credentials elsewhere to make sure they are not using the same (now compromised) passwords on other sites.
Although the breach affects a consumer site, it poses a risk for corporates because it opens the door to the well-practised hacker tactic of using the same login credentials to break into more sensitive (webmail, online banking) or corporate accounts. The still widespread practice of password reuse opens the door to such credential stuffing attacks.
A list of top 50 common/worst passwords chosen by Taringa users can be found here.
Andrew Clarke, EMEA director at One Identity, opined: "The reported breach at Taringa highlights some fundamental issues. The fact that an administrative file holding passwords was accessible demonstrates little or no control over privileged accounts. Then the passwords were easily cracked since the company used a weak MD5 (128-bit) algorithm rather than SHA-256.” ®