Gamigo warned users in early March that an “attack on the Gamigo database” had exposed hashed passwords and usernames and possibly other, unspecified “additional personal data.” The site required users to change their account passwords asap after the breach was discovered. The 11 million-password leak four months later raises the chance that users who decided to apply the same passwords to secure additional site accounts may continue to be at risk because the dump contained e-mail addresses from Gmail, Yahoo, Hotmail, IBM, Siemens, ExxonMobil, and Allianz, to name a few.
Even after removing duplicates, the number of passwords in this latest dump is among the largest seen in a public breach this year. In June, more than 6.4 million hashed passwords belonging to members of the business networking website LinkedIn were posted online. More than 1 million more passwords for eHarmony users were also exposed. While the lists were hashed, the availability of free cracking programs such as John the Ripper and Hashcat makes it possible to retrieve and crack a large percentage of most dumps in a matter of minutes, hours, or even days.
Among the most significant recognized password leaks came in 2009, with the publishing of more than 32 million plaintext passwords retrieved from the online game service RockYou. Even with duplications removed, the list included more than 14 million passwords. That list at present serves as one of the key sources many hackers apply to brute-force passwords.
