Menu
Browse

Cyber Incident Victim: Rambler

Date:

Feb 2012

Location:

Russia

Summary

A Russian internet services provider experienced a significant data breach compromising nearly 100 million user accounts, with exposed credentials including usernames, email addresses, and plaintext passwords exhibiting weak patterns like '123456' and 'asdasd'. The incident, attributed to a historical intrusion, involved unencrypted password storage and surfaced publicly years later through a third-party breach notification service that obtained the dataset from an external source. While the exact attack vector remains unconfirmed, speculation included potential exploitation of software vulnerabilities or credential reuse from unrelated breaches. The leaked records were subsequently circulated on underground markets alongside other contemporaneous mega-breaches affecting major platforms.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 5 motives 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

The Rambler data breach, initially occurring on 17 February 2012, involved the compromise of approximately 98.2 million user records from the Russian web portal Rambler.ru, with the data surfacing publicly in September 2016. According to breach notification service LeakedSource, which obtained and verified the dataset, the exposed information included usernames, email addresses, and passwords stored in plaintext format without encryption. The credentials exhibited significant security weaknesses, with the most common passwords being easily guessable strings such as "asdasd" (723,039 instances), "asdasd123" (437,638), "123456" (430,138), "000000" (346,148), and "666666" (249,812). The data was provided to LeakedSource by a source using the alias "DayKalif," who had previously supplied breach data from Last.fm. Rambler, founded in 1996 and often compared to Yahoo for its email, news, and online shopping services, did not respond to multiple contact attempts by both LeakedSource and IBTimes UK regarding the incident.

Cyber Incident Image

The breach's origins remained unclear, with LeakedSource speculating potential causes including an Apache or Linux zero-day vulnerability or credential reuse from other contemporary breaches like LinkedIn. The delayed public exposure until 2016 was attributed to researchers locating individuals possessing the data. This incident formed part of a pattern of large-scale breaches from the early 2010s, including VK, Myspace, Yahoo, Dropbox, and LinkedIn, many of which subsequently appeared on dark web marketplaces. A vendor named "doubleflag" was identified as offering portions of these combined datasets, including Rambler's, alongside breaches from Dropbox, uTorrent, and BitcoinTalk. The plaintext password storage significantly amplified risks of credential stuffing attacks and account takeovers, particularly given Rambler's market position competing with Yandex and Mail.ru—the latter having suffered its own major breach. No containment measures or remediation actions by Rambler were documented in available reports.

Sources
Sources available to members
2 sources