Bazinga! Social network Taringa 'fesses up to data breach

Que pasó?

By John Leyden


Latin American social networking site Taringa has suffered a database breach that has resulted in the spill of more than 28 million records.

Usernames, hashed passwords (using the weak MD5 algorithm) and personal email addresses have been exposed by the breach. Argentinia-based Taringa’s breach statement (in Spanish) can be found here. Neither phone numbers nor addresses from Bitcoin wallets associated with a Taringa program were exposed by the breach, according to the Reddit-like social networking site.

LeakBase claims that it has already cracked 94 per cent of password hashes exposed in the latest dumps.

In response, Taringa – which has users all over the Spanish-speaking world – has applied a password reset as well as urging consumers to review their use of login credentials elsewhere to make sure they are not using the same (now compromised) passwords on other sites.

Although the breach affects a consumer site, it poses a risk for corporates because it opens the door to the well-practised hacker tactic of using the same login credentials to break into more sensitive (webmail, online banking) or corporate accounts. The still widespread practice of password reuse opens the door to such credential stuffing attacks.

A list of top 50 common/worst passwords chosen by Taringa users can be found here.

Andrew Clarke, EMEA director at One Identity, opined: "The reported breach at Taringa highlights some fundamental issues. The fact that an administrative file holding passwords was accessible demonstrates little or no control over privileged accounts. Then the passwords were easily cracked since the company used a weak MD5 (128-bit) algorithm rather than SHA-256.” ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

Updated 'Entirely preventable' theft down to traffic-monitoring certificate left expired for 19 months

Equifax exec's inside trade shame: Software boss sentenced for mega-hack stock profit

Thrown in the small house rather than the big house

Exposing 145m Equifax customer deets: $240m. Legal fees: $28.9m. Insurance: Priceless

Data breach cost biz $70m this quarter alone

Another staffer at mega-hacked Equifax slapped with insider trading rap

Credit agency promises eight US states it will boost cyber security measures, escapes fine

Eight months after Equifax megahack, some Brits are only just being notified

I'm fsck-ed off it took this long, rages affected Reg reader

Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit

And let security kit fail for 10 months due to bad cert

Equifax reveals full horror of that monstrous cyber-heist of its servers

146 million people, 99 million addresses, 209,000 payment cards, 38,000 drivers' licenses and 3,200 passports

Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers

Updated UK watchdog demands max penalty after security snafu

Sole Equifax security worker at fault for failed patch, says former CEO

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity