PRIVACY

Russian Woman Claims Millions Of Hacked Instagram Passwords

The woman, whose boasts have proven true in the past, says she has new passwords to lots of sites, including Instagram

PRIVACY
Illustration: R. A. Di Ieso
Jun 09, 2016 at 11:00 AM ET

A Russian speaker with strong connections to the hacking world—she previously provided enormous batches of emails and passwords to several social networks—claims to have far more up her sleeve.

The person in question goes by Tessa88. Though these claims didn’t make the national press at the time, she claimed in April on at least two Russian hacker forums to own numbers of usernames and passwords to log in to sites like MySpace, DropBox, Instagram, VK (the Russian counterpart to Facebook), as well as a number of others. She offered a pretty simple deal—hundreds of millions of users for a few hundred dollars. (Note: In a conversation, Tessa88 didn’t respond to a question about her gender. We’re using feminine pronouns since she refers to herself as female in at least one of her profiles.)

As it turns out, she appears to have had user data belonging to at least the first two sites she claimed she did. Researchers at Leakedsource, a site that acquires such hacked dumps and lets potential victims search to see if they were affected, have so far verified both the MySpace and VK dumps, both from Tessa88, and integrated them into their databases. That’s the usernames and passwords for at least 11 million and 100 million users, respectively. 

Tessa88 clearly isn’t the only person with this information. Someone using a different handle, who goes by the name Peace, has provided journalists with both that MySpace dump and one of 117 million LinkedIn profiles. All of the aforementioned hacks are believed to have happened several years ago and it is unclear what individual or individuals are actually responsible for the hacks themselves.

But the fact that they’ve recently become far more visibly traded by hackers in recent weeks is still important, especially considering how frequently people will reuse the same login information on multiple sites. Multiple users who reuse the same logins and were included in the LinkedIn breach have recently found their PayPal or banking information compromised, for instance.

In a Jabber conversation with Vocativ, Tessa88 said that she was in possession of a vast quantity of hacked databases, including Facebook, Instagram, the dating sites Cupid and Badoo, and popular eastern European social network site OK.ru. She declined to immediately elaborate where she got those logins, though, saying she was driving a car. She also requested 1 bitcoin as collateral for the information, which Vocativ was unwilling to provide.

One LeakedSource researcher told Vocativ that they were investigating some of Tessa88’s other dumps, including Instagram, to verify their accuracy.

In her earlier claims on Russian forums, Tessa88 said that she had 380 million MySpace and 137 million VK accounts for sale. Leakedsource’s analysis found some 360 million MySpace and 100 million VK records, though many of those were paired with both a username and password. MySpace’s passwords were encrypted, but weren’t salted—in other words, they could be decrypted very easily by a hacker. MySpace insists it has much better password security now. VK had even worse security, and stored those passwords in plaintext.

With all those accounts she offered in April, Tessa88 claimed the other, currently unverified dumps were similarly huge, even if they’re similarly whittled down, including 103 million Dropbox accounts and 126 million Badoo accounts. A Badoo dump of 127 million records—which didn’t come from Tessa88, though it’s possible it’s the same file—was previously reported by Motherboard and verified by LeakedSource, though it’s unclear exactly how many of those accounts contained functional usernames with passwords.

It’s worth noting that multiple other users on these and other Russian hacking forums made similar claims both before and after Tessa88’s, though it’s only her breaches that have been verified by these researchers. And although there’s no evidence that this user herself has actually hacked anyone, her claims don’t end there.

“I have the whole world,” Tessa88 told Vocativ. “I hacked everyone.”

Update: Tessa88 provided a data set containing over 30 million Twitter user credentials to security research group LeakedSource on Thursday. They have verified the authenticity of a small sample of credentials. It is unlikely that Twitter experienced a security breach. Instead, the researchers suspect the data was gained from malware infections.