Did a MySpace Hack Compromise 427 Million Passwords?
Website LeakedSource Claims It Obtained Stolen Data
The breach notification site LeakedSource claims that social networking website MySpace has been hacked, with 360 million credentials containing 427 million encrypted passwords compromised. But LeakedSource acknowledges the age of the credentials is unknown. And the veracity of the data remains in question.
Earlier this month, Leaked Source, which provides a search engine for hacked data and charges a fee to subscribe, also reported that 170 million credentials appear to have been compromised in the 2012 breach of social networking site LinkedIn.
“LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data,” the company says in a blog about the apparent MySpace leak. “This database was provided to us by a user who goes by the alias Tessa88@exploit.im, and has given us permission to name them in this blog.”
Each leaked credential “may contain an email address, a username, one password and in some cases a second password,” LeakSource says. Passwords were hashed with the SHA1 algorithm with no salting, the company notes.
Regarding how far back the hacked information might date, LeakedSource tells Information Security Media Group via Twitter, “We don’t have any clue; nothing in the data suggests a date.”
MySpace did not immediately respond to an ISMG request for comment.
The same hacker who was selling LinkedIn credentials has claimed to have gained access to the MySpace credentials, the website Motherboard reports. Neither the hacker nor LeakedSource provided a sample of the hacked MySpace data for verification of its authenticity, Motherboard reports.
A Record-Breaking Breach?
The breach, if confirmed, could be a record-breaker.
“If it turns out to be legitimate, this would certainly be one of largest – if not the largest – breaches of credentials we’ve seen to date,” Troy Hunt, who runs the free “Have I Been Pwned?” service, which alerts users when their registered email addresses appear in public data dumps – tells ISMG.
“The significance of a breach like this is always twofold: access to the accounts on the site via leaked credentials and access to other accounts via credential reuse.”
In the wake of the LinkedIn breach, on May 18, LinkedIn CISO Cory Scott said the company will invalidate all passwords that haven’t been changed since 2012. “We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven’t updated their password since that breach,” he said. “We will be letting individual members know if they need to reset their password.”
LinkedIn said it’s also begun legal action to attempt to get the password dump taken down, although by some accounts the data was stolen by a Russian cybercriminal, meaning legal moves will probably have no effect. “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply,” Scott said. “In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.”
While the report by LeakedSource of the MySpace hack comes just weeks after the LinkedIn breach revelation, “I don’t think social media sites are any more of a target than other sites,” Hunt says. “It’s more likely a reflection of sites with large volumes of users being a high target. We’ve seen a spate of dating site hacks recently too.”
As for who might be behind the latest hack attack, Hunt says: “It’s always hard to attribute malicious activity like this purely based on what we see in the breach data. This attack looks to be quite old too due to the relatively small portion of Gmail accounts, although that could also be representative of the fact that the MySpace heyday has well and truly passed.”
(Watch for updates on this developing story.)
from DataBreachToday.com RSS Syndication http://ift.tt/1P4Ilnx