The recently revealed breach of former social media giant Myspace could quite possibly be the biggest data breach ever, with 427 million passwords reportedly stolen during 2013 hack.
Hacked readers will know of the LinkedIn breach which saw over 164 million users’ credentials sold for a relative pittance at 5 bitcoins (approx. $2,600).
Now, the same hacker who is hawking the LinkedIn user data has reportedly put up the records of 360 million data sets of emails and passwords of Myspace users. The figure is already in the ballpark of being one of the biggest data breaches ever.
Motherboard, while in communication with the hacker who goes by the moniker “Peace”, also acquired a sample of the breached data from the operators of LeakedSource. The platform is a paid-for hacked data search engine and claimed to possess the breached data in a blog post of its own.
Here, LeakedSource revealed a total of 427,484,128 passwords, acquired from the breach. Although there were only 360 million corresponding users and their accounts, there were many which contained multiple passwords.
Poor Password Practice
LeakedSource further revealed that passwords were stored in SHA1, a cryptographic hash function format. Notably, there was no salting implemented. Salting is the process of including random bytes and code as a suffix to every password prior to their hashing process. Salting, fundamentally makes the passwords exponentially harder to crack.
Having users’ passwords unsecured in such a manner compounds the error by Myspace, thereby allowing nearly half a billion passwords to be cracked easily.
Indeed, LeakedSource even has a list of the top passwords used by Myspace users, having cracked the data dump already.
An excerpt from the website’s Myspace blog entry read:
The methods Myspace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it’s not encryption at all…
“It gets worse,” LeakedSource added, noting that there were relatively few passwords, in the thousands, that were longer than 10 characters, implying that Myspace’s password practices were poor to begin with.
Myspace has, in a blog post of its own, confirmed that it was the victim of a data breach on June 11, 2013. It further claimed that the re-launch of the website in 2013 had better password practices including double salted hashes. However, the reinforced security measures came after the breach.
Featured image from Shutterstock.