A hacker who claims to have stolen more than 164 million LinkedIn users now claims to have 360 million MySpace passwords and emails, which would rank as one of the largest password heists ever, according to Motherboard. Evidence suggests the data has circulated among hackers.
On Friday afternoon, the hacker, who goes by the name “Peace” put the hacked MySpace data for sale on the Real Deal darknet website for 6 bitcoin (about $2,800). He told Motherboard he will put the listing up for sale before others start spreading it.
When Was MySpace Breached?
Peace and a LeakedSource operator claim the MySpace data is from a previous breach that was never reported. LeakedSource is a search engine for paid hacked data.
Neither source provided evidence of the hacked data. However, Motherboard provided LeakedSource email addresses for two friends and three staffers with accounts on the site to verify the data. LeakedSource was able to send the passwords back for all five people.
LeakedSource, which announced the leak Friday in a blog, claims the database has 427,484,128 passwords and 360,213,024 emails. Each record in the dataset has a username, an email address, a password, and in some cases, a second password, the site claimed.
LeakedSource Offers To Remove Information
The blog advised MySpace users to contact LeakedSource if they find their information and have it removed free of charge.
The blog said LeakedSource does not engage in, encourage or condone unlawful entry into private systems.
Out of the 360 million, 111,341,358 accounts contained a username while 68,493,651 had a secondary password, according to LeakedSource. Some did not have a primary password.
Subscribers pay LeakedSource $2 per day to $265 per year for access to more than 1.6 million leaked or hacked records.
The data was given by Tessa88, LeakedSource noted. An operator for the site said, however, that they were not aware of the data breach’s origins. They also did not know who breached MySpace in the first place, nor who possessed the data in the interim or when the hack occurred. The data was bound to leak at some point, the source said.
The operator in an online chat said such secrets are bound to be broken, given the number of people who have the information. Once data is repeatedly traded, it finds its way to someone who divulges it.
MySpace did not return requests for comment.
The SHA1 algorithm, known to be easy to crack, originally “hashed” the passwords, the LeakedSource wrote. The company did not “salt” the passwords in the hashing process. Salting refers to adding random bytes at the end of passwords before hashing them, so they are harder to crack.
Will More Passwords Be Cracked?
LeakedSource expects to crack up to 99% of the passwords by month’s end, the operator said, although they did not say how many were cracked already.
MySpace, once one of the largest websites, has declined in use. But the site recently claimed to be approaching nearly a billion registered users and reported having 50 million unique monthly visitors.
If the numbers reported are correct, the breach is one of the largest data thefts ever. It also indicates MySpace either never learned of the breach or did not disclose it to users.
Hacked reported on Thursday that Peace was trying to sell emails and passwords of some 117 million LinkedIn users from a 2012 server breach.
Breach Shows Need For Security
The MySpace incident demonstrates that risks remain, even in instances of dormant accounts that contain personal information.
Motherboard encouraged MySpace users to change their passwords. More importantly, they should change their passwords elsewhere if they were using it elsewhere.
Motherboard also encouraged users to use a password manager such as 1Password or LastPass to ensure passwords are strong and different for every website.’
Featured image from Shutterstock.