Password reset: 45 million creds leak from popular .com forums
Complex codes top most used password lists
Some 45 million logins for 939 popular sites including motorcycle.com, autoguide.com, and mothering.com have been stolen.
The method of attack and actor responsible is unknown, although many of the sites ran a vastly outdated and hackable versions of vBulletin.
Usernames, email addresses, IP information, and passwords are breached.
Breach data aggregator LeakedSource which obtained the records says the Verticalscope site and its domains were hacked February. It is allowing users to search if they are affected, but victims have to pay money to learn what sites of the hundreds contain their breached records.
Users should ensure all critical accounts have strong and unique passwords.
"Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale," LeakedSource says.
"Most of the records (over 40 million) were just MD5 with salting and this is insufficient."
Popular passwords included the regular shockers, along with a scattering of seemingly randomised strong codes. The second most popular password was '18atcskd2w' used by 91,103 accounts, with '3rjs1la7qe' coming in fourth spot used by 74,806 accounts.
Speculation by LinuxTechShow pins the abundant complex passwords on malware which compromised accounts using credentials that appear to users on first blush to be unique.
Some 40 million of those breached accounts contain passwords encrypted using gossamer MD5 which can be broken easily.
VerticalScope corporate development vice-president Jerry Orban told ZDNet it was reviewing security policies including password strength and renewal requirements. ®