There’s an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don’t yet know they have been hacked.
MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever.
And it looks like the data is being circulated in the underground by other hackers as well. It’s unclear when the data was stolen from MySpace, but both the hacker, who’s known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it’s from a past, unreported, breach.
Neither Peace nor LeakedSource provided a sample of the hacked data. But Motherboard gave LeakedSource the email addresses of three staffers and two friends who had an account on the site to verify that the data was real. In all five cases, LeakedSource was able to send back their password.
The database contains 427,484,128 passwords, but there are only 360,213,024 million emails, according to LeakedSource, which announced the leak on Friday in a blog post. Each record in the hacked dataset contains “an email address, a username, one password and in some cases a second password,” according to the site.
“Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password),” wrote LeakedSource, which provides subscribers, who pay between $2 a day to $265 a year, with access to what the site claims is a collection of more than 1.6 billion hacked or leaked records.
LeakedSource wrote that the data was provided by someone who goes by the alias Tessa88, but in an interview with Motherboard, an operator for the site said they were unaware of the real origins of the data breach, such as who originally breached MySpace, nor who has had the data “this whole time” or when the company was hacked. But this data was bound to leak eventually, they said.
“It's the nature of information. ‘Three can keep a secret, if two of them are dead,’” the operator told me in an online chat. “Once data gets traded a few times, eventually it will make its way to somebody who is not trustworthy to keep it a secret, and then it will spread like branches of a tree.” MySpace did not respond to multiple requests for comment.
The passwords were originally “hashed” with the SHA1 algorithm, which is known to be weak and easy to crack, LeakedSource wrote. What’s worse, the company didn’t “salt” the passwords in the hashing process. Salting means adding a series of random bytes to the end of passwords before hashing them to make them harder to be cracked.
That’s why LeakedSource’s operator told me they expect to crack 98 or 99 percent of them by the end of the month, though the operator declined to say how many have been already cracked.
While the social network, which was one of the largest site on the internet more than 10 years ago, is now just a shell of its former self, this is still a significant hack. The site, which recently boasted about crossing the threshold of one billion registered users, still had a reported 50 million unique visitors per month as of last year.
Also, if the total numbers are accurate, this is one of the largest data thefts ever. And, more importantly, this shows that at some point MySpace got hacked. And either the company never found out, or didn’t disclose it, neither publicly nor to its users. If all the data indeed comes from MySpace, this would be the largest breach of emails and passwords ever, topping the list on the data breach awareness site Have I Been Pwned.
Hence, there are still risks for users, even in case of abandoned or dormant accounts, which might still contain personal data that could be leveraged for other attacks. Bottom line, if you still have a MySpace account, change your password. But, most importantly, you should change your password on other, more sensitive services if you were using the same password there too. And please, consider using a password manager such as LastPass or 1Password to help you use unique, strong, passwords for every different website.
On Friday afternoon, the hacker known as Peace put the MySpace hacked data up for sale on the dark web market The Real Deal. Peace is asking for 6 Bitcoin (roughly $2,800) for the stolen passwords and emails. "I'll put listing for sale before idiots start spreading it," Peace told me in an online chat.