Okay, we know nobody remembers MySpace anymore, but the site still surprisingly serves 50 million unique visitors a month. Once a social media giant, the site was apparently hacked and the data of over 360 million MySpace accounts is up for grabs. Wondering who is selling this data? The same hacker who was selling data of over 160 million LinkedIn users last week.
Stolen data of over 360 million MySpace users up for sale
The hacker claims to have 360 million emails and passwords of MySpace users, possibly making it one of the largest password leaks ever. The data reportedly come forward from an unreported breach of the social network. Both the hacker, known as Peace, and LeakedSource, a search engine of hacked data, claim to have the credentials but haven't shared any sample of the data. To verify, folks at Motherboard gave email addresses of 5 MySpace users and LeakedSource "was able to send back" passwords of all the five accounts.
MySpace was hacked. LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data. This database was provided to us by a user who goes by the alias "Tessa88@exploit.im", and has given us permission to name them in this blog. MySpace has not returned our request for comment on this matter, nor have they replied to a similar request from a reporter. - LeakedSource
Announcing the leaked data earlier today, LeakedSource claimed that the database contains 427,484,128 passwords, but only 360,213,024 million emails, as some accounts had a second password attached. Over 360 million records have leaked, each containing "an email address, a username, one password and in some cases a second password." The hacker has now put the data up for sale for 6 Bitcoin ($2,800) in the dark web market The Real Deal.
Talking about the encryption level of stored passwords, LeakedSource said that the passwords were stored in SHA1 with no salting, making decrypting incredibly easy. "The methods MySpace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it's not encryption at all," noted LeakedSource. The site expects to crack 98 or 99% of all the leaked passwords by the end of the month.
This will be an immense amount of data, and even though the site is no longer used by many, considering our poor password management practices, few of these might actually yield some active and useful combinations that work on other sites. As Motherboard points out, "this is one of the largest data thefts ever," if the numbers pan out and are shared accurately.