Russian internet giant Rambler.ru hacked, leaking 98 million accounts

The internet giant didn't deny that it stored passwords in unencrypted plaintext, but it suggested that its password security policies are far stronger now.
Written by Zack Whittaker, Contributor

Russian internet portal and email provider Rambler.ru has become the latest victim in a growing list of historical hacks.

Breach notification site LeakedSource.com, which obtained a copy of an internal customer database, said the attack dates back to Feb. 17, 2012.

More than 98.1 million accounts were in the database, including usernames, email addresses, social account data, and passwords, the group said in a blog post. Unlike other major breaches, those passwords were stored in unencrypted plaintext, meaning anyone at the company could easily see passwords.

The last time a breach on this scale was found using plaintext password storage was Russian social networking site VK.com, which saw 171 million accounts taken in the breach.

Rambler.ru now joins the hacked ranks of LinkedIn and Last.fm in 2012, as well as MySpace and Tumblr in 2013.

LeakedSource said it had verified the breach, and it has added the cache into its searchable database.

Rambler.ru is one of the largest websites in the world, and one of the most visited in Russia. Founded in 1996, the company provides search, news, email, and advertising, making it a powerhouse of the Russian internet. The company competes with Yandex, as well as with Mail.ru (also owns VK.com), which made headlines for a second time this year for suffering at the hands of hackers.

After a numerous back and forth with Rambler.ru Chief Information Officer Ilya Zuev, the company issued the following response:

"We know about that database. It was leaked March 2014 and contained millions of accounts. Right after the accident we forced our users to change their passwords. Nowadays [a] situation like that is impossible. We do not store passwords in plain text, all data is encrypted (passwords hashed), we have added mobile phone verification option and constantly remind our users about the necessity of changing passwords."

The company added: "We also have forbidden [the use of] previously used passwords for the same account."

Editorial standards