According to a recent report from LeakedSource, the MySpace data breach that was recently announced by Time Inc., resulted in the theft of 427 million passwords and affected approximately 360 million accounts. Usernames, email addresses passwords, and in some cases, a secondary password, were stolen.
Many mega data breaches have been announced in 2016 that occurred in 2012/2013, but none have been on this scale. In terms of the number of users affected, the MySpace data breach is the largest ever reported.
After June 11, the site used enhanced security. Only accounts that were created prior to this date have been affected. The security updates in June 2013 included using double salted hashes. In the event of a breach, the passwords would be particularly difficult to crack. Prior to June 11, passwords were encrypted with the SHA-1 algorithm and were not salted. This makes than easy to crack. MySpace responded to the data breach by resetting all of the passwords on the site.
LeakedSource indicates 360,213,024 user accounts were in the dataset and almost a third of those accounts (111,341,258) had an associated username. The data were recently listed for sale on an online hacking forum.
The person responsible for the hack is not known, although the data were listed on Darknet marketplace The Real Deal by a hacker operating under the name “Peace”. Independent security researcher, Thomas White, also posted the data on his website from where it can be accessed by anyone.
Following the password reset, MySpace users may not be at risk of their old MySpace accounts being hijacked, but that does not mean current and former users of the site are out of the woods. It is common for passwords to be shared across multiple online accounts. If the compromised password is still in use on other sites associated with the same username, it is possible that those accounts could be hijacked. It is likely only to be a matter of time before some individual tries to use the stolen passwords to sign into other online accounts.
Anyone who has had a MySpace account who has not reset their password since June 2013 should do so ASAP if they still use the site. If passwords have been shared across multiple web platforms, those passwords should also be changed.
The MySpace data breach should serve as a reminder of why it is important not to reuse passwords for multiple services. If one account is breached, every other account is placed at risk.