Over 25 Million Accounts Stolen After Mail.ru Forums Hacked

An anonymous reader writes: Over 25 million accounts associated with forums hosted by Russian internet giant Mail.ru have been stolen by hackers. Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data -- a little under 13 million records; the other two forums making up over 12 million records. The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases. The hackers' names aren't known, but used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases. An analysis of the breached data showed that hackers took 12.8 million accounts from cfire.mail.ru; a total of 8.9 million records from parapa.mail.ru, and 3.2 million accounts from tanks.mail.ru. The hackers were able to obtain usernames, email addresses, scrambled passwords, and birthdays.

Obviously ( Score: +5, True )

[Anonymous Coward]

Russia did it !

Yours In The Pentagon,
K. Trout

Re:

[Anonymous Coward]

DNC nerd goons looking for retribution ...

Re:

[unixisc]

Probably one who wants to date Debbie Wasserman Schultz

Re:

[Kernel Krumpit]

is that you Kilgore?

big woop

[BringsApples]

The hackers were able to obtain usernames, email addresses, scrambled passwords, and birthdays.

So they have usernames (made up), email addresses (like I have on my business card), scrambled passwords (not even sure if this matters), and birthdays (not really something that many keep private anyway). I wouldn't care if any of this were taken from me, even if it were my gmail account.

Re:

[The-Ixian]

It depends on how the passwords were "scrambled"

Even if they were just hashes, those hashes could be used to correlate against a number of existing password databases from previous leaks (if the hashing algrothims are known or can be guessed). That could then give you better data on who is using the same password elsewhere.

Also, a birthday is not a trivial piece of information. It is used as a security question all too often. It also give the attacker more clues about you which is never good.

Re:

[BringsApples]

You have a good point, and honestly I have no idea to what degree the email service integrates with other sites. Maybe it's a bigger deal than I first thought.

I guess I just feel like everyone should be using some local email client, and saving all email locally, rather than on the provider's server(s). Of course there are very good arguments against that. However, Hillary Clinton comes to mind.

I bet...

[sciengin]

I bet it was again those evil russian hack-
Oh wait...

Eeh

[fubarrr]

In Soviet Russia ... you

23 million spammers

[lurker412]

The vast majority of the accounts probably were fake accounts used by spammers. Oh, well...

Re:

[laffer1]

You haven't used a forum lately have you? Most are full of spam

Someone hacked the Russians?

[russotto]

Maybe it was the DNC thinking payback was fair play?

vBulletin

[Sumus Semper Una]

Seriously, do we need an icon for vBulletin now? That's 4 stories in less than 2 weeks about major forums having their information leaked via known vBulletin exploits. It sounds like some people (maybe the same ones each time, maybe not) are just going around to all the major forums that run vBulletin and seeing if they're running an older version with the known vulnerability. Surprise, surprise - most forums haven't bothered to upgrade their vBulletin software. If we're going to keep seeing this story

headline should be....

[muphin]

"over 25 million spammer accounts stolen" the amount of spam i get from mail.ru .. i think 90% of the emails they have are created by bots to spam.