According to published reports, as many as 11 million passwords were posted online more than four months after hackers broke into the defenses of Gamigo, a free gaming website in Germany.
The list of passwords, which were encrypted using a one-way cryptographic hash algorithm, was published earlier this month in a forum on the password-cracking website Inside Pro, according to an article published Monday by Forbes. The list also contained 8.2 million unique email addresses, including 3 million accounts from the US, 2.4 million accounts from Germany and 1.3 million accounts from France.
Gamigo warned users in early March that an “attack against the Gamigo database” had exposed hashed passwords and usernames and possibly other, unspecified “additional personal data”. The site required users to change their account passwords. The leak of 11 million passwords four months later raises the possibility that users who chose the same passwords to secure other site accounts could remain at risk, as the dump contained email addresses from Gmail, Yahoo, Hotmail, IBM, Siemens, ExxonMobil, and Allianz, to name a few.
Even after removing duplicates, the number of passwords in this latest dump is among the largest seen in a public breach this year. In June, more than 6.4 million hashed passwords from members of the business networking website LinkedIn were posted online, and more than 1 million passwords for eHarmony users were also released. While the lists were hashed, the availability of free cracking tools such as John the Ripper and Hashcat makes it possible to pick up a large percentage from most landfills in a matter of minutes or hours.
One of the largest known password leaks occurred in 2009, with the publication of more than 32 million plaintext passwords retrieved from the online game service RockYou. Even after removing the duplicate passwords, the list contained more than 14 million passwords. That list now serves as one of the main resources that many crackers use to guess passwords.