33 million CLEARTEXT creds for Russian IM site dumped by chap behind Last.FM mess
Leaker tells El Reg his dumps are justified because they trigger password resets
Instant messaging platform QIP.ru has suffered the loss of approximately 33 million user records, which have emerged as cleartext.
Utah-based security firm Heroic was sent the data from a user known as Daykalif who last week leaked 98.1 million cleartext accounts for Rambler.
The same hacker also leaked words 43.6 million cleartext records for Last.fm.
Heroic communications officer Wyatt Semanek says in a statement it has validated the breached accounts and said they were leaked between 2009 and 2011.
"The database contains user email addresses, usernames, passwords and other related fields dating from 2009-2011," Semanek says.
"The passwords within the database were stored in plaintext with no encryption or hashing."
QIP is a free internet communication platform much like ICQ. The downloadable program provides websites and users the ability to send instant messages as well as video and audio calls.
Daykalif told The Register many of the databases he/she/they leak have been passed between many hands.
He says leaking the databases helps prevent further compromise of the breached accounts since it triggers security measures like password resets.
"And almost all of them (other hackers) write to me with threats," Daykalif says.
The most popular password was 12345, followed by 123123, and 111111, meaning those accounts were open to the most basic brute force attacks.
Google suggests users make their passwords pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall.
Microsoft reckons users can reuse passwords on sites they do not care for, provided they set strong logins for critical sites.
Docker's security lead Diogo Mónica (@diogomonica) says debate on password choice and complexity is off the mark, and should instead focus on convincing users to run password managers to set unique jumbled credentials for all sites. ®