Gamigo warned users in early March that an “attack on the Gamigo database” had exposed hashed passwords and usernames and possibly other, unspecified “additional personal data.” The site required users to change their account passwords asap after the breach was discovered. The 11 million-password leak four months later raises the chance that users who decided to apply the same passwords to secure additional site accounts may continue to be at risk, because the dump contained e-mail addresses from Gmail, Yahoo, Hotmail, IBM, Siemens, ExxonMobil, and Allianz, to name a few.
Even after removing duplicates, the number of passwords in this latest dump is among the largest seen in a public breach this year. In June, more than 6.4 million hashed passwords belonging to members of business networking website LinkedIn were posted online, and more than 1 million more passwords for eHarmony users were also exposed. While the lists were hashed, the availability of free cracking programs such as John the Ripper and Hashcat make it possible to retrieve crack a large percentage of most dumps in a matter of minutes or hours, and even days.
Among the largest recognized password leaks came in 2009, with the publishing of more than 32 million plaintext passwords retrieved from online game service RockYou. Even with duplications abstracted, the list included more than 14 million passwords. That list at present serves as one of the key sources many hackers apply to bruteforce passwords.