VKontakte Breach

In around 2012, Russia’s largest social network VKontakte (VK) fell victim to a credential-theft operation that remained hidden for four years. The breach burst into view on 5 June 2016 when the hacker “Peace” advertised 100 million VK accounts on a Tor-based market for 1 BTC (≈ US $580). Within hours, LeakedSource ingested the full trove and tallied 181 million rows, calling it one of the biggest social-media leaks on record.​

The dump featured full names, email addresses, phone numbers and passwords hashed with unsalted MD5—so weak that LeakedSource cracked 90 percent of them in under three hours. Metadata showed the newest profiles dated to late 2012, matching Peace’s claim that the intrusion occurred “around the end of that year.”​

After de-duplicating case variants and blanks, researchers counted roughly 100 million unique email-and-password pairs. Even that slimmer set was powerful ammunition: credential-stuffing waves soon targeted Gmail, PayPal and Steam, while Russian cyber-crime forums bundled VK logins into combo lists for spam and phishing kits. Analysts also noted that “123456,” “qwerty” and “password” dominated the cracked list, underscoring chronic weak-password habits.​

VK’s press office downplayed the risk, saying the file held “old logins and passwords collected by fraudsters in 2011–2012,” yet it still urged users to reset credentials and enable two-factor authentication. The company never disclosed the attack vector; security bloggers suspect an unpatched SQL-injection flaw in an early mobile API.​

The timing—just weeks after historic leaks from LinkedIn, Tumblr and Myspace—amplified fears that a single actor was monetising years-old compromises in bulk. Password-management vendors cited the VK spill while lobbying enterprises to adopt breached-password detection, and privacy advocates renewed calls for Russia to introduce GDPR-style notification rules.​