A hacker has obtained 171 million user accounts associated with social networking giant, VK.com.
The stolen database contains full names, email addresses and plain-text passwords, and in many cases locations and phone numbers.
The St. Petersburg, Russia-headquartered social network -- formerly known as VKontakte -- is said to be the largest in Europe, with over 350 million users at the last count. The hack is thought to have been carried out in late-2012 or early 2013, but the hacker who is selling the data could not be more precise.
Given the timing, the entire store of VK's data -- which at the time had just under 190 million users -- is likely to have been taken in the hack.
The hacker is now selling a smaller portion of the database -- 100 million accounts, which is a little over 17 gigabytes in size -- on a dark web marketplace for 1 bitcoin, or about $580 at the time of writing.
That same for-sale database was provided ZDNet for verification.
We examined the database that was provided by searching a selection of names in VK's public search engine -- many of which turned up valid results. We reached out to many of these via email (which were listed in the breach) for confirmation, but didn't immediately hear back -- we will update the story if that changes. A handful of queries returned nothing, indicating a user was no longer a member or had deactivated their account.
LeakedSource.com, a search engine that records breaches and allows users to search their details, also obtained a portion of the database -- albeit a smaller data set of about 100 million records.
Given the social network's predominance in Russia, the most common password was "123456," in line with other breaches. LeakedSource.com also found that the most common email address came from mail.ru, which may not be a coincidence, since VK.com was bought by the Mail.ru group in 2014. That led to the ousting of the company's founder, Pavel Durov, who later fled Russia amid a shake-up of the country's media laws. Durov later founded encrypted chat app Telegram.
For its part, VK.com said in an email on Monday that it "hasn't been hacked."
"We are talking about old logins / passwords that had been collected by fraudsters in 2011-2012. All users' data mentioned in this database was changed compulsorily," said a spokesperson. "Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password."
An email to Durov on Sunday went unreturned.
Correction: an earlier version of this story had a headline which suggested that 171 million user accounts are up for sale, when in fact a smaller 100 million database was put up for sale. We regret the error.
Update: added statement from VK.com.