Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

Hackers are selling roughly 427 million passwords belonging to users of MySpace along with information on 65 million Tumblr users.

Hackers are peddling roughly 427 million passwords belonging to users of MySpace, a social network that in its heyday was one of the most visited sites on the internet.

The same service that claimed to have information on 164 million LinkedIn users earlier this month is now boasting to have information on 360 million MySpace accounts.

According to a post on LeakedSource.com, which runs a searchable repository of leaked data, a user that goes by “Tessa88@exploit.im” provided the information.

The post claims that MySpace was hacked nearly three years ago, on June 11, 2013 and that the dataset contains 360,213,024 records, 111,341,258, which contain a username and a password, and 68,493,651 which contain a secondary password.

MySpace corroborated a few of those details in a FAQ about the incident on Tuesday, confirming that accounts created prior to June 11 are affected. The Time. Inc. owned company is admitting the breach is legitimate and attributes it to Peace-the same hacker who apparently carried out the LinkedIn hack two weeks back.

For what it’s worth, the company claims it’s using automated tools to attempt to identify and block suspicious activity on user accounts and that its invalidated old user passwords. Users will be prompted to authenticate then reset passwords for their account upon logging in next.

Details around what exactly led to the breach are scant, but MySpace claims that it’s likely from before certain security measures were implemented on the site.

The passwords, few which are over 10 characters long, were stored using the cryptographic hash function SHA-1, without salting, according to LeakedSource. SHA-1 is almost universally regarded as weaker than it was first designed to be. While salting hashes – the act of adding a random string of characters to passwords – isn’t alone enough to protect data, it does make them more difficult to reverse.

The site claims its improved security since 2013 and is now using double salted hashes – “random data that is used as an additional input to a one-way function that “hashes” a password or passphrase” – to store its users’ passwords.

According to Vice’s Motherboard, Peace is reportedly selling the data for six Bitcoin, roughly $2,800, on TheRealDeal, a darknet site.

A spokesperson for Viant, Time, Inc.’s data marketing firm, citing an ongoing investigation, wouldn’t comment further than what’s mentioned in Tuesday’s blog post.

MySpace, which in may ways was a precursor to Facebook, had nearly 80 million users at its peak. News Corp famously purchased the site in 2005 for $580 million and at one point it was valued at $12 billion before its eventual downturn. The site was purchased by Time Inc. in February.

News of the MySpace breach comes around the same time that the scope of another breach from 2013, blogging platform Tumblr, has come to light.

Tumblr informed users earlier this month that a third party was able to access a dataset of user email addresses, along with salted and hashed passwords. The information, Tumblr stressed, was from three years ago, shortly before Yahoo acquired it.

It was unclear until now exactly how many users were implicated by the hack however. According to HaveIBeenPwned.com, a data breach awareness portal run by Troy Hunt, the breach included information on 65 million user accounts. Hunt, who obtained a copy of the dataset, calculated that the breach leaked information on 65,469,298 accounts to be exact, and acknowledged that the information, including passwords stored as salted SHA1 hashes, is being sold online.

According to Motherboard, who claim to have discussed the breach with Peace, who has access to the data, the hacker is selling the information for just .425 Bitcoin, or $150. Since the passwords are more difficult to crack in that format, the data is basically a list of emails Peace claims, something that contributes to the low asking price.

According to Hunt, who spoke with Threatpost last week, big data breaches like LinkedIn, Tumblr, and MySpace are simply the new normal and sites like LeakedSource, which is also selling the Tumblr data, are selling day passes to the information.

“Breach data markets used to be more cloak and dagger. Now the data is a commodity,” Hunt said, “… with data breaches making headlines every day, we have created a social immunity to them.”

While there’s certainly been a spike in older breaches – in this case hacks from 2012 and 2013 – making headlines, experts don’t see it as anything new however.

“I don’t think this is a new trend as much as there are more and more researchers focusing on the topic and discovering what’s been around for years now.  As more of these breaches come to light, companies are digging deeper for this information,” Brian Bartholomew, a Senior Security Researcher for Kaspersky Lab’s Global Research and Analysis Team, said Tuesday.

“Data from large breaches has been available for some time. It’s just up until recently, the only ones who really knew about how much is out there were the ones trading in that market,” Bartholomew said.

Suggested articles