WeHeartIt Data Breach Analysis

Preface

WeHeartIt, an image sharing website, suffered a data breach in late 2013. However, the breach was not discovered until it suddenly appeared on the web a few years later. The company stated that the data breach affected over 8 million customers.

What data is at risk?

The WeHeartIt data breach took place in late 2013 and the breached data includes email addresses, usernames and passwords. According to WeHeartIt themselves, although the passwords were encrypted, the encryption algorithm was weak:

the encryption algorithms commonly used to encrypt passwords in 2013 are no longer secure due to advancements in computer hardware.

WeHeartIt

In a blog post the company said that it has made improvements to its security protocols, password security, its database and the whole system in general. At the time the data breach was announced, the company was still hashing their customers’ passwords with a more secure password hashing algorithm – BCrypt.

Email addresses

The WeHeartIt data breach does not hold that many records compared to some of the other data breaches but on the other hand, it holds over 8 million records. With that many people at risk, naturally there are hundreds of email domains used by WeHeartIt customers. Here’s the top 100 email domains used in the breach:

# Email Domain Quantity
1 hotmail.com 2,588,267
2 gmail.com 2,324,102
3 yahoo.com 1,064,937
4 live.com 146,636
5 aol.com 136,488
6 hotmail.fr 118,576
7 hotmail.co.uk 108,108
8 qq.com 79,613
9 mail.ru 75,017
10 web.de 74,567
11 ymail.com 66,480
12 hotmail.it 62,257
13 hotmail.de 53,262
14 live.nl 43,240
15 gmx.de 39,798
16 icloud.com 36,766
17 aim.com 33,472
18 msn.com 32,750
19 me.com 32,651
20 hotmail.es 32,005
21 googlemail.com 30,525
22 live.fr 30,118
23 rocketmail.com 29,613
24 live.se 29,113
25 live.it 24,632
26 yahoo.de 23,530
27 outlook.com 23,372
28 yahoo.com.br 21,916
29 live.co.uk 21,192
30 comcast.net 20,587
31 windowslive.com 18,252
32 live.no 17,768
33 hotmail.con 16,779
34 libero.it 16,734
35 yandex.ru 16,515
36 wp.pl 16,196
37 yahoo.co.uk 16,114
38 163.com 15,317
39 live.de 15,186
40 hotmail.ca 15,115
41 abv.bg 14,790
42 live.ca 14,455
43 hotmail.se 14,280
44 seznam.cz 14,138
45 yahoo.fr 13,854
46 i.softbank.jp 13,034
47 hotmail.nl 13,004
48 hotmail.no 12,899
49 yahoo.co.id 12,790
50 live.com.mx 12,590
51 ezweb.ne.jp 12,054
52 freemail.hu 11,482
53 gmail.con 10,142
54 sbcglobal.net 9,710
55 yahoo.it 9,688
56 citromail.hu 9,660
57 live.com.au 9,123
58 t-online.de 8,970
59 orange.fr 8,324
60 inbox.lv 8,215
61 att.net 7,922
62 yahoo.ca 7,829
63 live.dk 7,777
64 walla.com 7,770
65 o2.pl 7,462
66 verizon.net 7,050
67 mail.com 6,982
68 gmx.net 6,905
69 126.com 6,745
70 gmx.at 6,713
71 yahoo.con 6,555
72 laposte.net 6,411
73 hotmail.co.nz 6,078
74 naver.com 6,064
75 live.cl 5,505
76 hotmail.be 5,484
77 rambler.ru 5,476
78 bk.ru 5,414
79 softbank.ne.jp 5,309
80 live.com.ar 5,139
81 yahoo.com.ph 4,994
82 live.be 4,950
83 hotmail.com.ar 4,835
84 yahoo.es 4,786
85 yahoo.co.jp 4,715
86 interia.pl 4,604
87 cox.net 4,528
88 op.pl 4,419
89 luukku.com 4,371
90 hotmail.ch 4,272
91 yahoo.gr 4,233
92 bluewin.ch 4,189
93 alice.it 4,098
94 hotmail.fi 4,085
95 btinternet.com 4,063
96 yahoo.com.mx 4,049
97 onet.pl 3,963
98 sina.com 3,944
99 yahoo.com.au 3,883
100 gmx.ch 3,822

Looking at the data, we can tell that WeHeartIt had customers from multiple countries – the TLDs alone tell a lot:

# Email Domain Quantity Country
1 bluewin.ch 2,588,267 Switzerland
2 hotmail.fr 118,576 France
3 hotmail.co.uk 108,108 Great Britain
4 mail.ru 75,017 Russia
5 web.de 74,567 Germany
6 hotmail.es 32,005 Spain
7 live.se 29,113 Sweden
8 live.it 24,632 Italy
9 yahoo.com.br 21,916 Brazil
10 live.no 17,768 Norway
11 wp.pl 16,196 Poland
12 hotmail.ca 15,115 Canada
13 abv.bg 14,790 Bulgaria
14 seznam.cz 14,138 Czech Republic
15 i.softbank.jp 13,034 Japan
16 hotmail.nl 13,004 The Netherlands
17 yahoo.co.id 12,790 India
18 citromail.hu 9,660 Hungary
19 live.com.au 9,123 Australia
20 inbox.lv 8,215 Latvia
21 live.dk 7,777 Denmark
22 live.com.ar 5,139 Argentina
23 yahoo.com.ph 4,994 The Phillipines
24 live.be 4,950 Belgium
25 hotmail.fi 4,085 Finland

The WeHeartIt data breach contained email addresses beginning with numbers. Here’s the breakdown:

The Number An Email Address Starts With Quantity
0 3,177
1 30,795
2 13,199
3 12,237
4 11,575
5 9,619
6 6,580
7 7,735
8 7,174
9 7,956

Here’s the breakdown of email addresses beginning with letters:

The Letter An Email Address Starts With Quantity
a 849,437
b 395,243
c 545,333
d 354,621
e 336,285
f 226,617
g 260,492
h 257,914
i 225,872
j 473,717
k 432,979
l 599,189
m 901,829
n 333,116
o 93,303
p 284,974
q 17,981
r 301,848
s 744,387
t 323,095
u 27,246
v 185,368
w 90,045
x 69,911
y 92,432
z 70,105

As the breached data had also contained usernames, here’s the breakdown of usernames beginning with numbers:

The Number A Username Starts With Quantity
0 7,636
1 24,458
2 8,688
3 7,183
4 4,344
5 4,387
6 2,641
7 4,190
8 3,294
9 4,442

Here’s the breakdown of usernames beginning with letters:

The Letter A Username Starts With Quantity
a 799,366
b 411,781
c 527,253
d 354,888
e 315,451
f 245,673
g 238,174
h 276,455
i 272,739
j 437,981
k 407,330
l 616,830
m 859,625
n 324,536
o 105,614
p 282,271
q 20,637
r 285,472
s 745,826
t 343,690
u 37,564
v 174,377
w 105,421
x 93,553
y 104,884
z 69,486

The conclusion

The WeHeartIt data breach, although relatively small, is a reminder that old systems are targets of hackers too – even legacy systems that have been abandoned by developers can come back to haunt them years later.

Leave a Reply

Your email address will not be published. Required fields are marked *