Your Long-Forgotten Myspace Account May Have Just Gotten Hacked
If, like most people, you've long consigned your decade-old Myspace account to oblivion, congrats! From Hell's heart, Myspace stabs at thee.
The details of over 360 million Myspace accounts, including potentially sensitive information like passwords and email addresses, are being advertised for sale online, BBC reported.
According to Motherboard, paid hacked data search engine LeakedSource has access to the Myspace data, which consists of 427 million passwords, though they're paired with just 360 million email addresses. LeakedSource allows users to verify whether or not their email address was associated with one of the leaked accounts, but asks for payment to reveal what information was compromised.
"Motherboard gave LeakedSource the email addresses of three staffers and two friends who had an account on [Myspace] to verify that the data was real," Motherboard wrote. "In all five cases, LeakedSource was able to send back their password."
LeakedSource shows that millions of the accounts used easy-to-guess passwords like "password1," "abc123," "fuckyou1" and "123456789" (the 855,000 accounts using the password "homelesspa" appear to have been auto-generated).
"Passwords were stored in SHA1 with no salting," LeakedSource wrote in a blog post. "'Salting" makes decrypting passwords exponentially harder when dealing with large numbers of passwords such as these. The methods Myspace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it's not encryption at all but it gets worse."
"We noticed that very few passwords were over 10 characters in length (in the thousands), and nearly none contained an upper-case character, which makes it much easier for people to decrypt," the site added.
A smaller-but-still-massive breach of 65 million Tumblr accounts also recently hit the web on May 12. Both sites were hacked in 2013, according to BBC.
"Our analysis gives us no reason to believe that this information was used to access Tumblr accounts," Tumblr administrators wrote in a post to their website. "As a precaution, however, we will be requiring affected Tumblr users to set a new password."
It's not just Myspace and Tumblr; a web user's history can haunt them long after they have forgotten they ever registered an account. For example, a cursory search of the LeakedSource engine using a Mic staffer's personal email address revealed a compromised Tumblr account, LinkedIn and Adobe data, and forum accounts possibly created as early as mid-2007.
"There's been some catalyst that has brought these breaches to light, and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related," wrote security researcher Troy Hunt on his blog, reported BBC. "Even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the 'mega' category that are simply sitting there in the clutches of various unknown parties?"