Russian instant messaging site QIP.ru has been breached and the details of over 33 million users released, with passwords apparently stored in plaintext.
In a brief message sent to Infosecurity, the Utah-based security vendor said it had been sent details from 33,380,559 accounts in total, which it verified with successful password reset attempts.
“The database contains user email addresses, usernames, passwords and other related fields dating from 2009-2011,” it added. “The passwords within the database were stored in plaintext with no encryption or hashing.”
The database was provided by ‘daykalif’ – the same individual responsible for the Rambler.ru hack which is said to have exposed the account details of 100 million users.
“If your account has been compromised in any of our hacked databases, HEROIC will provide measures to remediate and secure your affected account(s) moving forward,” the firm concluded.
QIP is a similar service to ICQ – a free instant messaging platform which also allows users to make video and audio calls.
It is the third major breach to have been revealed over the past week or so – all from the same source and all relating to cyber-attacks some years ago.
Last week it was Russian online portal site Rambler where 98,167,935 accounts were compromised from 2012. And around a week before that, it was the turn of social music service Last.fm where 43,570,999 users were affected.
Also back in June, another Russian site, social media giant VK.com, breached over 100 million user records.
In many of these cases including the QIP breach, passwords were stored unencrypted and in plaintext.
What’s also become clear is that many of those credentials are way too simple to be effective log-ins.
They included “123456”, “000000” and “qwertyuiop” – passwords which would be easy for cybercriminals to guess or brute force.