427 million hacked MySpace usernames and passwords make their way online


If you’ve ever had a MySpace account it’s time to be concerned, with a revelation that 427 million usernames and passwords have been hacked from the site.

LeakedSource, a site that gathers leaked data and places it into a searchable database, claims that the MySpace user information was provided to them by an anonymous user with an email address linked to a Russian-language exploit chat site.

The leak dataset includes “an email address, a username, one password and in some cases a second password.”

There are said to be exactly 360,213,024 million email IDs and 427,484,128 passwords in the data, and that of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password.

The inclusion of unencrypted passwords in the data set is said to be due to the fact the passwords were stored in SHA1 with no salting; as LeakedSource explains:

“Salting” makes decrypting passwords exponentially harder when dealing with large numbers of passwords such as these. The methods MySpace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it’s not encryption at all.

Making the situation worse, the site went on to explain that very few passwords were over 10 characters in length and nearly none contained an upper case character which made the data easier for people to decrypt.

Real data

LeakedSource charges for access to full records, so it’s impossible to confirm all the figures in the data, however, Motherboard was able to verify that five staffers’ MySpace credentials were present in the data.

myspace passwordsUsing a similar test (you can confirm whether data is present via LeakSource’s search facility) SiliconANGLE was able to confirm, via both a username and email search, that user credentials were definitely there.

To make matters worse, the person behind the hack of MySpace data has put the full data set up for sale on the dark web market The Real Deal with an asking price of 6 Bitcoin, the equivalent of $3,148 at the time of writing.

Usually, with a hack of a site it would be recommended that you change your password on the affected site, but despite growing in numbers since relaunching as a music sharing site, few people today actually use the service, and the hack itself would appear to have occurred some years ago.

As always: practice safe internet and use a password that includes upper and lower case letters, numbers and symbols versus the most popular passwords used by MySpace users according to LeadedSource (see image right).

Image credit: blmurch/Flickr/CC by 2.0