Russian state-owned social network VK breached again, affecting 390M users


VK (VKontakte), the largest Russian social media and networking service, reportedly suffered a massive data breach that affected more than half of its users.

According to a threat actor who goes under the moniker Hikki-Chan on BreachForums, an illicit marketplace, VK suffered a massive data breach in September 2024. It posted the data almost for free for anyone to download, requiring only a few forum credits.

VK has 1.1 billion monthly visitors, which places the social network as the 23rd most visited website globally, according to Similarweb. Its audience is mostly Russian (89% of all traffic).

“This breach exposed the personal information of hundreds of millions of users, including basic identification and location details,” the threat actor claimed.

The listed categories of compromised data include ID number, name, surname, sex, profile image, country, and city.

The uploaded 7z archive contains 390.4 million records, which take 27.6GB of storage space when uncompressed.

“We can confirm that there have been no security breaches of any kind, including those involving personal information. VK user data is securely protected, and the content in question was collected solely from publicly available sources. This information does not contain any confidential data, but consists of details that our users have voluntarily shared on their profiles,” VK said in a statement.

This website was launched in 2006 and was co-created by Pavel Durov, the chief executive of the popular cloud-based messaging app Telegram, who was recently arrested in France.

In December 2021, VK was taken over by Russian state-owned companies. Following the Russian military invasion of Ukraine and international sanctions, the VK app was removed from the Apple App Store but is still available on the Google Play store.

Hackread.com was the first to discover the post on BreachForums. The threat actor claimed to Hackread.com that VK was not breached directly, but the data was obtained through a breach of a third-party that exposed VK’s data.

vk-leak-2024

This is not the first nor the second case of VK user data being disseminated online. In 2022, VK suffered a leak of more than 126GB of data, containing 32 million records, including links to photos, full names, and other scraped and API-queried data. According to security researcher Bob Diachenko, even closed or protected VK accounts were included in the leak.

In June 2016, hackers stole 171 million VK accounts and tried to sell the data, including plain-text passwords, online for about $580, according to ZDNet.

Threat actor Hikki-Chan emerged at the beginning of 2024 and previously targeted multiple Israeli companies and government institutions, including the Israeli Police, Ministry of Defense, and Ministry of Welfare and Social Affairs, according to a report by security company Cyfirma.

Updated on September 5th [11:10 p.m. GMT] with a statement from VK.