Security

Bazinga! Social network Taringa 'fesses up to data breach

Que pasó?

By John Leyden

2 SHARE

Latin American social networking site Taringa has suffered a database breach that has resulted in the spill of more than 28 million records.

Usernames, hashed passwords (using the weak MD5 algorithm) and personal email addresses have been exposed by the breach. Argentinia-based Taringa’s breach statement (in Spanish) can be found here. Neither phone numbers nor addresses from Bitcoin wallets associated with a Taringa program were exposed by the breach, according to the Reddit-like social networking site.

LeakBase claims that it has already cracked 94 per cent of password hashes exposed in the latest dumps.

In response, Taringa – which has users all over the Spanish-speaking world – has applied a password reset as well as urging consumers to review their use of login credentials elsewhere to make sure they are not using the same (now compromised) passwords on other sites.

Although the breach affects a consumer site, it poses a risk for corporates because it opens the door to the well-practised hacker tactic of using the same login credentials to break into more sensitive (webmail, online banking) or corporate accounts. The still widespread practice of password reuse opens the door to such credential stuffing attacks.

A list of top 50 common/worst passwords chosen by Taringa users can be found here.

Andrew Clarke, EMEA director at One Identity, opined: "The reported breach at Taringa highlights some fundamental issues. The fact that an administrative file holding passwords was accessible demonstrates little or no control over privileged accounts. Then the passwords were easily cracked since the company used a weak MD5 (128-bit) algorithm rather than SHA-256.” ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Exposing 145m Equifax customer deets: $240m. Legal fees: $28.9m. Insurance: Priceless

Data breach cost biz $70m this quarter alone

Another staffer at mega-hacked Equifax slapped with insider trading rap

Credit agency promises eight US states it will boost cyber security measures, escapes fine

Eight months after Equifax megahack, some Brits are only just being notified

I'm fsck-ed off it took this long, rages affected Reg reader

Equifax reveals full horror of that monstrous cyber-heist of its servers

146 million people, 99 million addresses, 209,000 payment cards, 38,000 drivers' licenses and 3,200 passports

Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe

Nothing to see here, move along. Go back to your homes

Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Pwned credit-score biz quietly admits more info lost

Sole Equifax security worker at fault for failed patch, says former CEO

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity

White House plan to nuke social security numbers is backed by Equifax's ex-top boss

We meant it, nothing matters any more. Nothing at all

Equifax peeks under couch, finds 2.4 million more folk hit by breach

It's OK, it was only partial driving licence information