Record Rambler Breach Highlights Password Flaws

Written by

Security experts have called once again for an end to password-based authentication systems after nearly 100 million records were leaked online from Russian online portal Rambler.ru.

LeakedSource claimed to have received the dataset of 98,167,935 users from the same source as the recently revealed Last.fm ‘mega breach’ which revealed 43 million credentials that had been stolen back in 2012.

The Russian Yahoo-like site’s woes also stem from a cyber-attack in that year – 17 February, to be precise – with compromised information including username, visible plaintext passwords, account numbers for the ICQ instant messaging platform, and other internal data, according to the report.

Usernames are also the first part of a rambler.ru email address, doubling the jeopardy for affected individuals.

Rambler is not alone in the storage of passwords in plaintext. Russian social networking giant VK.com was found to have done the same when it suffered a breach of over 100 million records back in June.

Worryingly, many of the top 50 passwords used on Rambler were easy-to-remember credentials such as “123456” or “qwertyuiop.”

“We verified this database with the help of journalist Maria Nefedova who works for xakep.ru. Specifically, we sent three of her friends the first portion of the passwords found attached to their accounts in this breach, and they were able to accurately fill in the rest (4-6 characters each) for us with 100% accuracy,” claimed LeakedSource.

“Just like every single mega breach we have exposed before, attempts to contact Rambler by other journalists on our behalf have failed at the time of this post.”

James Thompson, SecureAuth EMEA regional director, claimed users might have updated their passwords in the four years since the breach to something more complex.

“However, we know the reality is that users not only keep passwords simple, they reuse them across multiple sites and since these compromised passwords are also associated with an email address the threat of compromise across multiple sites is very real,” he added.

“This incident, and the vast scale of it, has to serve as a pertinent reminder to businesses of all sizes that they need to ensure that employees and customers alike are secured by multiple layers of adaptive authentication.”

Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, argued that the incident proves why username/password systems are no longer effective.

“Forward thinking organizations are beginning to embrace more advanced identity-centric solutions that improve the customer experience, while also providing stronger security,” he continued.

Luke Brown, EMEA general manager at Digital Guardian, warned that compromised personal credentials can also be a corporate security risk.

“Many companies will have employees affected by the breach, and they should make sure that employees can’t use the same password for their personal and professional accounts,” he explained.

“Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information."

What’s hot on Infosecurity Magazine?