WeHeartIt Data Breach Analysis
Preface
WeHeartIt, an image sharing website, suffered a data breach in late 2013. However, the breach was not discovered until it suddenly appeared on the web a few years later. The company stated that the data breach affected over 8 million customers.
What data is at risk?
The WeHeartIt data breach took place in late 2013 and the breached data includes email addresses, usernames and passwords. According to WeHeartIt themselves, although the passwords were encrypted, the encryption algorithm was weak:
the encryption algorithms commonly used to encrypt passwords in 2013 are no longer secure due to advancements in computer hardware.
WeHeartIt
In a blog post the company said that it has made improvements to its security protocols, password security, its database and the whole system in general. At the time the data breach was announced, the company was still hashing their customers’ passwords with a more secure password hashing algorithm – BCrypt.
Email addresses
The WeHeartIt data breach does not hold that many records compared to some of the other data breaches but on the other hand, it holds over 8 million records. With that many people at risk, naturally there are hundreds of email domains used by WeHeartIt customers. Here’s the top 100 email domains used in the breach:
| # | Email Domain | Quantity |
| 1 | hotmail.com | 2,588,267 |
| 2 | gmail.com | 2,324,102 |
| 3 | yahoo.com | 1,064,937 |
| 4 | live.com | 146,636 |
| 5 | aol.com | 136,488 |
| 6 | hotmail.fr | 118,576 |
| 7 | hotmail.co.uk | 108,108 |
| 8 | qq.com | 79,613 |
| 9 | mail.ru | 75,017 |
| 10 | web.de | 74,567 |
| 11 | ymail.com | 66,480 |
| 12 | hotmail.it | 62,257 |
| 13 | hotmail.de | 53,262 |
| 14 | live.nl | 43,240 |
| 15 | gmx.de | 39,798 |
| 16 | icloud.com | 36,766 |
| 17 | aim.com | 33,472 |
| 18 | msn.com | 32,750 |
| 19 | me.com | 32,651 |
| 20 | hotmail.es | 32,005 |
| 21 | googlemail.com | 30,525 |
| 22 | live.fr | 30,118 |
| 23 | rocketmail.com | 29,613 |
| 24 | live.se | 29,113 |
| 25 | live.it | 24,632 |
| 26 | yahoo.de | 23,530 |
| 27 | outlook.com | 23,372 |
| 28 | yahoo.com.br | 21,916 |
| 29 | live.co.uk | 21,192 |
| 30 | comcast.net | 20,587 |
| 31 | windowslive.com | 18,252 |
| 32 | live.no | 17,768 |
| 33 | hotmail.con | 16,779 |
| 34 | libero.it | 16,734 |
| 35 | yandex.ru | 16,515 |
| 36 | wp.pl | 16,196 |
| 37 | yahoo.co.uk | 16,114 |
| 38 | 163.com | 15,317 |
| 39 | live.de | 15,186 |
| 40 | hotmail.ca | 15,115 |
| 41 | abv.bg | 14,790 |
| 42 | live.ca | 14,455 |
| 43 | hotmail.se | 14,280 |
| 44 | seznam.cz | 14,138 |
| 45 | yahoo.fr | 13,854 |
| 46 | i.softbank.jp | 13,034 |
| 47 | hotmail.nl | 13,004 |
| 48 | hotmail.no | 12,899 |
| 49 | yahoo.co.id | 12,790 |
| 50 | live.com.mx | 12,590 |
| 51 | ezweb.ne.jp | 12,054 |
| 52 | freemail.hu | 11,482 |
| 53 | gmail.con | 10,142 |
| 54 | sbcglobal.net | 9,710 |
| 55 | yahoo.it | 9,688 |
| 56 | citromail.hu | 9,660 |
| 57 | live.com.au | 9,123 |
| 58 | t-online.de | 8,970 |
| 59 | orange.fr | 8,324 |
| 60 | inbox.lv | 8,215 |
| 61 | att.net | 7,922 |
| 62 | yahoo.ca | 7,829 |
| 63 | live.dk | 7,777 |
| 64 | walla.com | 7,770 |
| 65 | o2.pl | 7,462 |
| 66 | verizon.net | 7,050 |
| 67 | mail.com | 6,982 |
| 68 | gmx.net | 6,905 |
| 69 | 126.com | 6,745 |
| 70 | gmx.at | 6,713 |
| 71 | yahoo.con | 6,555 |
| 72 | laposte.net | 6,411 |
| 73 | hotmail.co.nz | 6,078 |
| 74 | naver.com | 6,064 |
| 75 | live.cl | 5,505 |
| 76 | hotmail.be | 5,484 |
| 77 | rambler.ru | 5,476 |
| 78 | bk.ru | 5,414 |
| 79 | softbank.ne.jp | 5,309 |
| 80 | live.com.ar | 5,139 |
| 81 | yahoo.com.ph | 4,994 |
| 82 | live.be | 4,950 |
| 83 | hotmail.com.ar | 4,835 |
| 84 | yahoo.es | 4,786 |
| 85 | yahoo.co.jp | 4,715 |
| 86 | interia.pl | 4,604 |
| 87 | cox.net | 4,528 |
| 88 | op.pl | 4,419 |
| 89 | luukku.com | 4,371 |
| 90 | hotmail.ch | 4,272 |
| 91 | yahoo.gr | 4,233 |
| 92 | bluewin.ch | 4,189 |
| 93 | alice.it | 4,098 |
| 94 | hotmail.fi | 4,085 |
| 95 | btinternet.com | 4,063 |
| 96 | yahoo.com.mx | 4,049 |
| 97 | onet.pl | 3,963 |
| 98 | sina.com | 3,944 |
| 99 | yahoo.com.au | 3,883 |
| 100 | gmx.ch | 3,822 |
Looking at the data, we can tell that WeHeartIt had customers from multiple countries – the TLDs alone tell a lot:
| # | Email Domain | Quantity | Country |
| 1 | bluewin.ch | 2,588,267 | Switzerland |
| 2 | hotmail.fr | 118,576 | France |
| 3 | hotmail.co.uk | 108,108 | Great Britain |
| 4 | mail.ru | 75,017 | Russia |
| 5 | web.de | 74,567 | Germany |
| 6 | hotmail.es | 32,005 | Spain |
| 7 | live.se | 29,113 | Sweden |
| 8 | live.it | 24,632 | Italy |
| 9 | yahoo.com.br | 21,916 | Brazil |
| 10 | live.no | 17,768 | Norway |
| 11 | wp.pl | 16,196 | Poland |
| 12 | hotmail.ca | 15,115 | Canada |
| 13 | abv.bg | 14,790 | Bulgaria |
| 14 | seznam.cz | 14,138 | Czech Republic |
| 15 | i.softbank.jp | 13,034 | Japan |
| 16 | hotmail.nl | 13,004 | The Netherlands |
| 17 | yahoo.co.id | 12,790 | India |
| 18 | citromail.hu | 9,660 | Hungary |
| 19 | live.com.au | 9,123 | Australia |
| 20 | inbox.lv | 8,215 | Latvia |
| 21 | live.dk | 7,777 | Denmark |
| 22 | live.com.ar | 5,139 | Argentina |
| 23 | yahoo.com.ph | 4,994 | The Phillipines |
| 24 | live.be | 4,950 | Belgium |
| 25 | hotmail.fi | 4,085 | Finland |
The WeHeartIt data breach contained email addresses beginning with numbers. Here’s the breakdown:
| The Number An Email Address Starts With | Quantity |
| 0 | 3,177 |
| 1 | 30,795 |
| 2 | 13,199 |
| 3 | 12,237 |
| 4 | 11,575 |
| 5 | 9,619 |
| 6 | 6,580 |
| 7 | 7,735 |
| 8 | 7,174 |
| 9 | 7,956 |
Here’s the breakdown of email addresses beginning with letters:
| The Letter An Email Address Starts With | Quantity |
| a | 849,437 |
| b | 395,243 |
| c | 545,333 |
| d | 354,621 |
| e | 336,285 |
| f | 226,617 |
| g | 260,492 |
| h | 257,914 |
| i | 225,872 |
| j | 473,717 |
| k | 432,979 |
| l | 599,189 |
| m | 901,829 |
| n | 333,116 |
| o | 93,303 |
| p | 284,974 |
| q | 17,981 |
| r | 301,848 |
| s | 744,387 |
| t | 323,095 |
| u | 27,246 |
| v | 185,368 |
| w | 90,045 |
| x | 69,911 |
| y | 92,432 |
| z | 70,105 |
As the breached data had also contained usernames, here’s the breakdown of usernames beginning with numbers:
| The Number A Username Starts With | Quantity |
| 0 | 7,636 |
| 1 | 24,458 |
| 2 | 8,688 |
| 3 | 7,183 |
| 4 | 4,344 |
| 5 | 4,387 |
| 6 | 2,641 |
| 7 | 4,190 |
| 8 | 3,294 |
| 9 | 4,442 |
Here’s the breakdown of usernames beginning with letters:
| The Letter A Username Starts With | Quantity |
| a | 799,366 |
| b | 411,781 |
| c | 527,253 |
| d | 354,888 |
| e | 315,451 |
| f | 245,673 |
| g | 238,174 |
| h | 276,455 |
| i | 272,739 |
| j | 437,981 |
| k | 407,330 |
| l | 616,830 |
| m | 859,625 |
| n | 324,536 |
| o | 105,614 |
| p | 282,271 |
| q | 20,637 |
| r | 285,472 |
| s | 745,826 |
| t | 343,690 |
| u | 37,564 |
| v | 174,377 |
| w | 105,421 |
| x | 93,553 |
| y | 104,884 |
| z | 69,486 |
The conclusion
The WeHeartIt data breach, although relatively small, is a reminder that old systems are targets of hackers too – even legacy systems that have been abandoned by developers can come back to haunt them years later.