Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Did a MySpace Hack Compromise 427 Million Passwords?Website LeakedSource Claims It Obtained Stolen Data
The breach notification site LeakedSource claims that social networking website MySpace has been hacked, with 360 million credentials containing 427 million encrypted passwords compromised. But LeakedSource acknowledges the age of the credentials is unknown. And the veracity of the data remains in question.
Earlier this month, Leaked Source, which provides a search engine for hacked data and charges a fee to subscribe, also reported that 170 million credentials appear to have been compromised in the 2012 breach of social networking site LinkedIn.
"LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data," the company says in a blog about the apparent MySpace leak. "This database was provided to us by a user who goes by the alias Tessa88@exploit.im, and has given us permission to name them in this blog."
Each leaked credential "may contain an email address, a username, one password and in some cases a second password," LeakSource says. Passwords were hashed with the SHA1 algorithm with no salting, the company notes.
Regarding how far back the hacked information might date, LeakedSource tells Information Security Media Group via Twitter, "We don't have any clue; nothing in the data suggests a date."
MySpace did not immediately respond to an ISMG request for comment.
The same hacker who was selling LinkedIn credentials has claimed to have gained access to the MySpace credentials, the website Motherboard reports. Neither the hacker nor LeakedSource provided a sample of the hacked MySpace data for verification of its authenticity, Motherboard reports.
A Record-Breaking Breach?
The breach, if confirmed, could be a record-breaker.
"If it turns out to be legitimate, this would certainly be one of largest - if not the largest - breaches of credentials we've seen to date," Troy Hunt, who runs the free "Have I Been Pwned?" service, which alerts users when their registered email addresses appear in public data dumps - tells ISMG.
"The significance of a breach like this is always twofold: access to the accounts on the site via leaked credentials and access to other accounts via credential reuse."
In the wake of the LinkedIn breach, on May 18, LinkedIn CISO Cory Scott said the company will invalidate all passwords that haven't been changed since 2012. "We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven't updated their password since that breach," he said. "We will be letting individual members know if they need to reset their password."
LinkedIn said it's also begun legal action to attempt to get the password dump taken down, although by some accounts the data was stolen by a Russian cybercriminal, meaning legal moves will probably have no effect. "We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply," Scott said. "In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts."
While the report by LeakedSource of the MySpace hack comes just weeks after the LinkedIn breach revelation, "I don't think social media sites are any more of a target than other sites," Hunt says. "It's more likely a reflection of sites with large volumes of users being a high target. We've seen a spate of dating site hacks recently too."
As for who might be behind the latest hack attack, Hunt says: "It's always hard to attribute malicious activity like this purely based on what we see in the breach data. This attack looks to be quite old too due to the relatively small portion of Gmail accounts, although that could also be representative of the fact that the MySpace heyday has well and truly passed."
Cameron Camp, a security researcher at ESET, a security services firm, questions the veracity of the leaked MySpace data. "I looked at their list, and the top supposedly hacked password is "homelesspa" with a purported 855,478 examples. I find that hard to believe. The rest of the top ten are more frequently found on the big lists of common passwords, but they still don't map to what you'd expect, in terms of frequency/distributions that are typical on big breaches.
"Also, due to some accounts having two passwords, there are 427.4 million passwords for only 360 million users. Which begs the question, why were they keeping a list of multiple passwords per account?"
Social media site are big targets because they offer a wealth of information scammers can use for ID theft for resale or future exploits, Camp says. "Combine that with the staggering amount of information people either share directly or that can be inferred - like family, physical location, etc., and it becomes a goldmine for scammers."