Security experts and news outlets alike have been ruminating over the Taringa data breach, an Argentine social network platform with a predominately Latin-American user base.
Over 28 million records were compromised as a result of the breach. Records included users’ email addresses, usernames and hashed passwords. Unfortunately, the passwords were hashed using 128-bit MD5 (unsalted) encryption, a “no longer safe” and easily-crackable algorithm. The original developer of MD5 publicly deemed the password hash algorithm as such back in June 2012, just a day before the breach of 6.4 million hashed LinkedIn passwords. According to a statement made by Targinga to The Hacker News, the Reddit-like platform has already been upgraded to the more modern and secure SHA256.
Taringa applied an involuntary password reset to all customer accounts. Taringa also prompted customers to check for password reuse to make sure that threat actors didn’t pivot off of Taringa to other personal and professional accounts.
Unfortunately, Taringa users may not be the only victims of further attacks facilitated by the attackers’ gains. Once cracked, the passwords may be used in credential stuffing attacks at scale not only against the original victims’ login applications, but against many applications. The password lists from this breach may be especially useful against other Latin American-based services with user bases that speak the same language, have similar interests, or use the same online colloquialisms.
So far there appears to be no publicly available information on the attacker’s attribution or methods.
SpyCloud’s independent research has already revealed that most of the breached users reside in Argentina, Brazil, Columbia, Venezuela, Mexico, Spain and Portugal. SpyCloud also discovered that Taringa users were awarded a sort of currency referred to as “bits” on the site that could be withdrawn using a Xapo account. This means that many users may have lost some monetary value in “bits” as a result of the breach. Xapo and Taringa announced their Bitcoin integration on April 21, 2015.
In these situations it’s almost always more productive to ask what can be done than who is at fault. Sure, Taringa could have used better encryption and, inevitably, some users failed to use strong passwords. But that’s water under the bridge. What can be done now?
Affected users should first run, not walk, to their computers to change any matching passwords for other accounts. Next, they should remain vigilant of unsolicited emails or text messages—anything they suspect could be opportunistic phishing attempts toward already victimized users.
Learn from the Taringa Data Breach & Protect Yourself
What can organizations do? SpyCloud has acquired this breach and has already alerted our customers. Organizations can enter an email address they’re concerned about for free on our site to check their exposure.