Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
MySpace, LinkedIn Data Just a Click Away
Researcher Posts Links to Hundreds of Millions of CredentialsIt doesn't take long for compromised data to be shared across the cybercriminal underground. And when the leaking starts, it spreads like wildfire. So it was only a matter of time before data from two of the largest data breaches of all time, the attacks on MySpace and LinkedIn, became easily accessible.
See Also: Gartner Market Guide for DFIR Retainer Services
Thomas White, an independent security researcher in the U.K., has now made the 360 million credentials from the MySpace breach available on his personal website. He also posted download links for the 165 million LinkedIn accounts recently released.
In a chat over instant messaging, White acknowledged an ongoing risk to people who may still be reusing their MySpace and LinkedIn passwords on other services.
"Of course there is a risk," White says. "People will as a result probably get a few accounts compromised. But once that happens, they will probably reset their passwords now and learn the lesson, rather than learn it in 12 months when they have five more accounts with the same password."
Closely held for years, the LinkedIn and MySpace data sets bubbled to the surface in May after being posted for sale on underground forums by Tessa88@exploit.im, a suspected Russian hacker. It was unclear why the data was suddenly put up for sale years after the breaches occurred (see LinkedIn, MySpace Hacker 'Urgently' Needs Money).
The 165 million LinkedIn accounts came from a 2012 data breach initially thought to have only affected 6.5 million accounts. MySpace said user accounts created prior to June 2013 were affected, which indicated when it may have been breached. Other confirmed data dumps released in May included Fling and Tumblr (see 'Historical Mega Breaches' Continue: Tumblr Hacked).
The MySpace and LinkedIn credentials contained user names and hashes of passwords. A hash is a cryptographic representation of a password that has been processed through an algorithm.
It should be nearly impossible to covert a hash into an original password. But prior to both breaches, the services were still using the SHA1 algorithm for hashing, which has long been considered insecure. SHA1 hashes, especially those for simple passwords, can be cracked depending on how much computing power is dedicated to the task.
The data from all of the dumps quickly circulated among security researchers and breach notification services such as LeakedSource and Have I Been Pwned.
Not Hard to Find
For those who knew where to look, the data for MySpace and LinkedIn data breaches wasn't hard to find. But for those who don't regularly browse hidden .onion websites and underground hacking forums, it may be more difficult.
White created two subdomains on his website that host torrents, or small data files that allow both breaches to be downloaded using the BitTorrent file-sharing protocol. When asked if he would remove the MySpace data if asked by its Time Inc.-owned parent company, Viant, White displayed a vulgar animated GIF image with a phrase that can't be printed here.
"In my experience, it's the one kind of reply that guarantees the legal department doesn't reply," he says.
MySpace and LinkedIn officials did not immediately respond to a request for comment.
Public Domain?
Although it would be futile to stop the spread of data on hacking forums and sites, the services could issue copyright take down notices citing the Digital Millennium Copyright Act. Avid Life Media, which owns the extramarital dating site Ashley Madison, did that several times following the disclosure of users' data on a variety of U.S. websites that are be subject to the act.
The Electronic Frontier Foundation criticized Avid Life Media for using the DMCA to get data removed, contending the act was intended for cases of copyright infringement and not just an expedient way to get embarrassing material removed.
White's website, however, is hosted in the U.K. White says that personally identifiable information is covered under the U.K.'s Data Protection Act. Under that act, a person could file a Subject Access Request to see the information, he says.
But once information is in the public domain, White says use or distribution "of the information without the intention to profit from it or using it in the course of business is within the rights of freedom of expression. It would be a defense to argue it is in the public interest where a company failed to act within a reasonable time frame or take reasonable actions to remediate the situation."
White has hosted other data dumps, including Ashley Madison; Patreon, a crowdfunding website; 000webhosting, a free web hosting service; and the Fraternal Order of Police, the largest U.S. police union.
In October 2015, White wrote he'd been threatened for posting leaked data. But he maintained that there's a public interest in order to vet how companies protect data. Also, he argues it's important to have a malware-free source to obtain data for analysis.
Troy Hunt, who runs the breach notification service Have I Been Pwned, says that he understands White's reasoning, but he doesn't like the idea of redistributing leaked data.
"It [the data] just spreads more," Hunt says. "I'm not really sure it does that much good at this stage." That said, "People who wanted the data are going to be able to find it easy enough."