Data pinched from around 360 million MySpace accounts is up for sale online, according to recent reports.
Lorenzo Fraceschi-Bicchierai at Vice Motherboard said the information can be purchased on criminal forums and is being sold by “Peace”, the same hacker who sold credentials for 165 million LinkedIn accounts this month.
Leakedsource.com, a service that allows users to check their credentials against stolen data sets, wrote in a blog that the information “may contain an email address, a username, one password and in some cases a second password.”
Further, Leakedsource.com stated that of the 360 million records stolen 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password).
What’s more, the firm pointed out that “The methods MySpace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it's not encryption at all but it gets worse. We noticed that very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character which makes it much easier for people to decrypt.”
Although it is currently unknown when the information was stolen, the list of most commonly used passwords among the data would suggest the details are old, with culturally-based passwords linked to phenomenons most popular during the late 1990s and early 2000s.
MySpace was launched in 2003 before being purchased by News Corporation in 2005. The site went on to become the most dominant social-networking website in the world between 2005 and 2008, surpassing Google as the most visited website in the US in 2006. It was not until 2008 that Facebook overtook MySpace in terms of unique worldwide visitors, and since then its number of users has steadily declined.
Despite this the site, which recently claimed to have surpassed the threshold of one billion users, and still has an estimated 50 million unique visitors per month as of 2015. With this is mind, and taking into account the fact that many accounts – even if they are dormant – might still contain sensitive data can be leveraged in an attack, this data theft could pose a significant risk for MySpace users old and current. Additionally, it also shows that the site was hacked at some point, and MySpace either did not know about it or simply did not disclose it publically or to its customers.
Users who still have an active MySpace account are advised to change their password and, more importantly, change the password of other more sensitive services if they use the same password as the MySpace account.