Summary
Nearly 100 million records have been leaked online in yet another “mega breach”, this time from the website Rambler.ru which for those who don’t already know, they are the “Russian version of Yahoo”. Rambler.ru was hacked for 98,167,935 users on February 17th, 2012 and this data set was provided to us by daykalif@xmpp.jp who also provided the Last.fm mega breach.
Each record contains:
- A username/email address
- Password
- ICQ # (yeah)
- And some other internal data
Due to the fact that rambler.ru is an e-mail provider (like Gmail), when we say username/email together it’s because usernames are always the first part of the email address. For example in the address webmaster@rambler.ru, “webmaster” would be the username that is always before “@rambler.ru”.
We verified this database with the help of journalist Maria Nefedova who works for xakep.ru. Specifically we sent three of her friends the first portion of the passwords found attached to their accounts in this breach, and they were able to accurately fill in the rest (4-6 characters each) for us with 100% accuracy. Just like every single mega breach we have exposed before, attempts to contact Rambler by other journalists on our behalf have failed at the time of this post.
Companies that want to protect their users against hacking via password re-use from this and every other mega breach can contact us about using our API
You also may search for your email or username in any leaked databases by visiting our homepage.
Passwords
Similar to the VK.com hack, passwords on rambler.ru were stored with no encryption or hashing (visible plaintext passwords). Here are the top 50.
| Rank | Password | Frequency |
| 1 | asdasd | 723,039 |
| 2 | asdasd123 | 437,638 |
| 3 | 123456 | 430,138 |
| 4 | 000000 | 346,148 |
| 5 | 666666 | 249,812 |
| 6 | 654321 | 242,503 |
| 7 | cfreyjdf | 237,009 |
| 8 | 123321 | 236,871 |
| 9 | 555555 | 230,453 |
| 10 | 123123 | 222,983 |
| 11 | 7777777 | 207,347 |
| 12 | 12345678 | 196,474 |
| 13 | 1234567890 | 163,653 |
| 14 | 777777 | 138,500 |
| 15 | 121212 | 134,767 |
| 16 | 112233 | 124,950 |
| 17 | 987654321 | 87,908 |
| 18 | 123456789 | 86,841 |
| 19 | 123654 | 86,041 |
| 20 | 111111 | 85,735 |
| 21 | 999999 | 81,870 |
| 22 | 159753 | 79,849 |
| 23 | 222222 | 77,389 |
| 24 | qazwsx | 74,799 |
| 25 | 987654 | 70,822 |
| 26 | 123 | 69,018 |
| 27 | gfhjkm | 65,369 |
| 28 | 333333 | 64,383 |
| 29 | zxcvbn | 63,433 |
| 30 | qwertyuiop | 62,462 |
| 31 | password | 62,371 |
| 32 | 1111111 | 61,790 |
| 33 | ifkfubyjd | 61,661 |
| 34 | 1q2w3e | 61,517 |
| 35 | qwerty | 60,928 |
| 36 | 355553 | 59,442 |
| 37 | 123qwe | 59,118 |
| 38 | 123456q | 58,484 |
| 39 | 12345 | 56,579 |
| 40 | 131313 | 56,257 |
| 41 | 159357 | 55,182 |
| 42 | qwerty123 | 54,703 |
| 43 | 1234567 | 53,796 |
| 44 | 111222 | 53,616 |
| 45 | zxcvbnm | 53,597 |
| 46 | 147258 | 50,651 |
| 47 | 789456 | 49,227 |
| 48 | pass123 | 48,402 |
| 49 | 888888 | 47,557 |
| 50 | 11111111 | 45,443 |
Misc
Other than passwords, there isn’t much point in analyzing the other columns because they provide no interesting information. Nearly all of the emails in the leak end in @rambler.ru and although they apparently own a few other domains, the other domains are rarely used.
Here is an image of the breach file’s headers for the technologically inclined, showing what system was targetted and some of Rambler’s technology stack.
We do have more mega breaches coming soon so keep an eye out on our Twitter. Any journalists that want to get notified about all future breaches, DM us on Twitter with your email address
Again, do strongly encourage all companies to contact us about using our API to make your users immune to the effects of data breaches. Many companies have already used our services to great success.
Anyone may use any information on this page for free provided LeakedSource is given credit and a direct link back.
Signing off until the next breach (so tomorrow), LeakedSource.
