Social networking platform Taringa! has confirmed a data breach that exposed nearly every record in its 28 million registered user base.
On 4 September, data breach notification LeakBase disclosed a hack where attackers allegedly stole the records for 28,722,877 registered users of Taringa!, a popular Latin American social media site. The Hacker News obtained a copy of that database. Through its own analysis, the information security news website confirmed the database contains usernames, email addresses, and passwords protected with the weak MD5 hashing algorithm. It also verified a portion of these account credentials by reaching out to some of the affected Taringa! users, who verified the authenticity of their passwords.
@Taringa the “Latin American Reddit” was hacked leaking 28,722,877 entries, hashed in a weak MD5
— LeakBase (@LeakbasePW) September 4, 2017
By exploiting numerous vulnerabilities in the MD5 hashing algorithm, the LeakBase team cracked 93.79 percent (nearly 27 million) of the leaked passwords in a matter of days.
Admins of the Latin American social media site subsequently posted a statement about the incident. The message, which is written in Spanish, clarifies that the leaked database doesn’t contain users’ phone numbers, Bitcoin wallet addresses, or access credentials for other social networking platforms. It also seeks to reassure members that Taringa! is actively looking for additional indicators of compromise.
As a Google Translate version of the breach notice states:
“From the moment our team detected the incident was working to secure the accounts and personal information of our users. At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure.”
While Taringa! works with its legal team to better understand the incident and to bolster the encryption of members’ new passwords, all affected users should change their passwords as soon as possible. They can do so using these expert tips. Additionally, members should watch out for suspicious correspondence that asks for their account credentials and/or other personal information.
News of this data breach follows restaurant search website Zomato’s announcement back in May 2017 that a security breach exposed 17 million users’ names, email addresses, and passwords.