Bazinga! Social network Taringa 'fesses up to data breach

Que pasó?

By John Leyden

Posted in Security, 5th September 2017 13:36 GMT

Latin American social networking site Taringa has suffered a database breach that has resulted in the spill of more than 28 million records.

Usernames, hashed passwords (using the weak MD5 algorithm) and personal email addresses have been exposed by the breach. Argentinia-based Taringa’s breach statement (in Spanish) can be found here. Neither phone numbers nor addresses from Bitcoin wallets associated with a Taringa program were exposed by the breach, according to the Reddit-like social networking site.

LeakBase claims that it has already cracked 94 per cent of password hashes exposed in the latest dumps.

In response, Taringa – which has users all over the Spanish-speaking world – has applied a password reset as well as urging consumers to review their use of login credentials elsewhere to make sure they are not using the same (now compromised) passwords on other sites.

Although the breach affects a consumer site, it poses a risk for corporates because it opens the door to the well-practised hacker tactic of using the same login credentials to break into more sensitive (webmail, online banking) or corporate accounts. The still widespread practice of password reuse opens the door to such credential stuffing attacks.

A list of top 50 common/worst passwords chosen by Taringa users can be found here.

Andrew Clarke, EMEA director at One Identity, opined: "The reported breach at Taringa highlights some fundamental issues. The fact that an administrative file holding passwords was accessible demonstrates little or no control over privileged accounts. Then the passwords were easily cracked since the company used a weak MD5 (128-bit) algorithm rather than SHA-256.” ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Pwned credit-score biz quietly admits more info lost

Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe

Nothing to see here, move along. Go back to your homes

Sole Equifax security worker at fault for failed patch, says former CEO

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity

White House plan to nuke social security numbers is backed by Equifax's ex-top boss

We meant it, nothing matters any more. Nothing at all

Equifax UK admits: 400,000 Brits caught up in mega-breach

UK dedicated systems not affected

Missed patch caused Equifax data breach

Apache Struts was popped, but company had at least TWO MONTHS to fix it

Equifax mega-leak: Security wonks smack firm over breach notification plan

A Wordpress site? Really?

UK financial regulator confirms it is probing Equifax mega-breach

Watchdog could ban firm from operating in the country

What's that, Equifax? Most people expect to be notified of a breach within hours?

Go on, you're the breach expert