Over 28 million records were compromised as a result of the breach. Records included users’ email addresses, usernames and hashed passwords. Unfortunately, the passwords were hashed using 128-bit MD5 (unsalted) encryption, a “no longer safe” and easily-crackable algorithm. In fact, the original developer of MD5 publicly deemed the password hash algorithm as such back in June 2012, just a day before the breach of 6.4 million hashed LinkedIn passwords. According to a statement made by Targinga to The Hacker News, the Reddit-like platform has already upgraded to the more modern and secure SHA256.
Taringa applied an involuntary password reset to all customer accounts. Taringa also prompted customers to check for password re-use to make sure that threat actors didn’t pivot off of Taringa to other personal and professional accounts.
Unfortunately, Taringa users may not be the only victims of further attacks facilitated by the attackers’ gains. Once cracked, the passwords may be used in credential stuffing attacks at scale not only against the original victims’ login applications, but against many applications. The passwords lists from this breach may be especially useful against other Latin-American based services with user bases who speak the same language, have similar interests, or use the same online colloquialisms.
So far there appears to be no publicly available information on the attacker’s attribution or methods.
SpyCloud’s independent research has already revealed that most of the breached users reside in Argentina, Brazil, Columbia, Venezuela, Mexico, Spain and Portugal. SpyCloud also discovered that Taringa users were awarded a sort of currency referred to as “bits” on the site that could be withdrawn using a Xapo account. This means that many users may have lost some monetary value in “bits” as a result of the breach. Xapo and Taringa announced their bitcoin integration on April 21, 2015.
In these situations it’s almost always more productive to ask what can be done than who is at fault. Sure, Taringa could have used better encryption and, inevitably, some users failed to use strong passwords. But that’s water under the bridge. What can be done now?
Affected users should first run, not walk, to their computers to change any matching passwords for other accounts. Next, they should remain vigilant of unsolicited e-mails or text messages—anything they suspect could be opportunistic phishing attempts toward already victimized users.
What can organizations do? SpyCloud has acquired this breach and has already alerted our customers. Organizations can enter an e-mail address they’re concerned about for free on our site to check their exposure. Individuals can also utilize the peace of mind of a free SpyCloud consumer account to see their exposure and monitor their addresses moving forward for their own personal use.