Hackers Steal Over 33 Million Passwords from QIP.ru Messaging Service

A Data Breach That Took Place in 2011 Led to 33 Million Stolen Passwords

The number of leaked login credentials has risen dramatically over the last two weeks. On September 1, 2016, LeakedSource, a data breach indexing website, announced that it had obtained nearly 44 million Last.fm passwords stolen during an attack from 2012. On September 5, the same website said that it also has the passwords of just over 98 million Rambler.ru accounts taken during another 2012 hack. The most recent leak came three days later leading to over 33 million passwords being stolen, which was uncovered due to the company called HEROIC announcing that it had received data stolen during a 2011 breach of QIP.ru's system.

The leaked information collected during the three attacks came from one and the same source – a hacker who goes by the nickname daykalif.

QIP.ru is a Russian instant messaging service that supports text, audio, and video communication. When bad actors managed to infiltrate its system, they stole the email addresses, registration dates, passwords, and other sensitive information related to exactly 33,394,101 accounts.

The QIP accounts were registered between 2009 and 2011, which means that the passwords have most likely been changed since the breach. Nevertheless, the leaked information revealed a couple of worrying facts.

HEROIC did what any security company would do and took a closer look at the data dump. It then put together a list of the most frequently used QIP passwords in 2011.

Here are the Top 5 QIP passwords used in 2011:

1. 123456
2. 123123
3. 111111
4. 123456789
5. 12345678

Software companies have gone to great lengths to convince the general public that using strong, hard-to-guess login credentials is a vital step towards improving security. However, the list above shows that the results of these efforts weren't brilliantly exercised back in 2011.

Another thing that caught the experts' attention was the fact that QIP and Rambler stored users' passwords in plain text. Though, Last.fm did use MD5 secure hashing, but within two hours, LeakedSource was able to break the algorithm and get to about 96% of the passwords.

Any and everyone, big or small, are vulnerable to security breaches. By storing passwords in plain text and utilizing insecure and outdated methods to protect their clients, companies are making hackers' lives literally easy as 1,2,3. In any case, if you're using brute force-friendly passphrases like the ones you see on the list above, you only have yourself to blame.