MYSPACE MIGHT NOT have been relevant for a number of years now, relaunches and changing owners has not helped matters, but it’s back for the wrong reasons.
LeakedSource, the same company which compiled a database of the most used passwords gathered from the LinkedIn hack, has compiled another database with leaked MySpace passwords.
If the data is accurate, it would be one of the largest password leaks to happen with more than 360 million records in the database. It is not known when this breach happened, but it likely happened a few years back.
Why is such an old website relevant now? It’s because if you had an account with it, chances are it’s linked to your current email address, and if you think passwords standards now aren’t great, the ones used back in 2008 are even worse according to LeakedSource.
The methods MySpace used for storing passwords are not what internet standards propose and is very weak encryption… we noticed that very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character which makes it much easier for people to decrypt.
The other noticeable factor was the number of accounts with the password ‘homelesspa’, which is assumed to be automatically generated as all the emails that used it followed the same format.
Apart from that, the list of popular bad passwords shared a lot of similarities with other lists. The likes of ‘password1′, ‘abc123′, ’123456′ and ‘myspace1′ topped the list while ‘@Yahoo.com’ was the most popular email domain used with 126 million accounts using it.
According to Vice Motherboard, a hacker named Peace has put the data up for sale for the price of six bitcoins (roughly €2,928) on the darknet. The hacker also did the same thing with LinkedIn data which was leaked recently.
‘Mega breaches’
Another site that has fallen victim to the same problem is Tumblr where 65 million accounts have been discovered for sale on the darknet.
The database includes email accounts and passwords, but unlike MySpace, the measures Tumblr took to protect its passwords means it will be incredibly difficult to crack them.
All passwords were ’hashed’, a process where a password is turned into a different string of digits, and ‘salted’, which adds a random string to a password before it’s hashed.
One security research Troy Hunt who runs haveibeenpwned (HIBP), a service which keeps a record of database breaches and notifies those affected, said there was a trend of old breaches only emerging now and could mark the beginning of ‘mega breaches’ being revealed.
“This data has been lying dormant (or at least out of public sight) for long periods of time,” he said in a blog post. “And these four breaches (LinkedIn, Flirt, Tumblr and MySpace) are all in the top five largest ones HIBP has ever seen. That’s out of 109 breaches to date, too”.
If this indeed is a trend, where does it end? What more is in store that we haven’t already seen? And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?
To embed this post, copy the code below on your site
have your say