45 Million Records Stolen from Over 1,100 Websites
Hackers have stolen 45 million records from 1,100 websites that were hosted by VerticalScope, according to LeakedSource.
The stolen information includes the usernames, passwords, email addresses or IP addresses of more than 45 million members of car, sports and tech sites.
“This data set contains nearly 45 million records from over 1100 websites and communities,” LeakedSource wrote. “Each record may contain an email address, a username, an IP address, one password and in some cases a second password.”
All of the breached websites are run by VerticalScope, a Canadian company that owns and operates 480 online communities, content portals and e-newsletters, according to the company’s website.
Jerry Orban, VerticalScope’s VP of corporate development, confirmed the possible breach in an email to Motherboard. He said the company is “aware of the possible issue” and is investigating and providing data for law enforcement.
“We believe that any potential breach is limited to usernames, user ids, email addresses, and encrypted passwords of our users,” Orban wrote.
While the passwords may have been encrypted, LeakedSource, which has gained notoriety in recent weeks for selling data stolen from LinkedIn, MySpace and Twitter, said that they were able to crack 74% of the stolen passwords, approximately 33 million. Most of the sites used a weak algorithm, MD5, to hash and encode the passwords.
If these number are accurate, this is one of the largest data breaches ever.
LeakedSource said that, not only were the passwords weakly protected, VerticalScope must also have saved all of its data on a limited number of servers.
“Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale,” LeakedSource said.
For its part, Orban said in a statement that the company is “reviewing our security policies and practices and […] implementing security changes related to our forum password strength and password expiration policies across certain forum communities.”
While the hackers have not been identified, LeakedSource said the breach occurred in February 2016.