What Happened
In 2012, Russia’s largest social network VKontakte (VK) suffered a major credential-theft breach, exposing data from approximately 100 million accounts—including full names, email addresses, phone numbers, locations, and plaintext or weakly hashed (unsalted MD5) passwords—which remained undetected until June 2016 when hacker “Peace” (aka Tessa88) advertised the dump on a Tor-based dark web market for 1 BTC (~$580). LeakedSource analyzed the full trove of 181 million rows (de-duplicated to ~100 million unique email-password pairs), noting weak passwords like “123456” and “qwerty” that cracked easily, enabling credential-stuffing attacks on sites like Gmail, PayPal, and Steam. VK denied a direct hack, claiming the data comprised old 2011-2012 logins collected by fraudsters via malware, and urged users to reset passwords and enable two-factor authentication, though experts suspected an unpatched SQL injection in a mobile API. The incident, timed with leaks from LinkedIn and MySpace by the same actor, highlighted password reuse risks and prompted calls for better security practices.
