“Myspace was hacked” writes LeakedSource on their dedicated page for MySpace.com.
They do not add any kind of details about this hack except that they received a copy of the data from an email address (not from the hacker).
As a matter of fact, there is nowhere on the web any kind of details, not to even say proof, that this has indeed happened.
This includes Myspace’s site as well.
Leakedsource appears to be the only entity that knows something about these over 427 Mil passwords (for 360 Mil users).
But then, Leakedsource only retweets on their wall what two other websites have written about them. There is not a single commend written by them about this hack.
One of the articles even writes more details about some steps that Leakedsource took to check the validity of the data. If this is so, why is this not written in their blog?
If this is true, then I can’t imagine how come they miss the opportunity to write about the possibly biggest leak of accounts (email + password) of all times?
There is something wrong here. What is actually going on?
On one side, what I see there is a very entrepreneurial approach of a dealing with a possible hack.
Leakedsource offers payment packages ranging between $4 – $320 payable as Bitcoin or Paypal.
On other side, they give some details about the type of passwords used in the Myspace website. If they are true, you can only see these if you have the data.
Another source for this data in bulk is a TheRealDeal darknet shop user called Peace_of_mind. He sells the database dump in a plain text file for 6 BTC (about $3100).
Some math
The seller wrote that the database contains an email address, a username, a password and in some cases a second password. All hashed using SHA1, not salted (this is bad).
We have 35.3 GB of plain text data and according to the seller, this means 360,213,024 records.
This means 37,903,086,387.2 Bytes in total which gives us 105 Bytes per record (approximated).
A SHA1 hash is always 20 Bytes. So, we have 65 Bytes for username and email address. This is not enough!
According to LeakedSource, quoted by Vice.com (http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach),
“Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password),”
Myspace requires an username and an email address. You can’t have one without the other. And you can’t remove any of them either.
How can this be possible ?
What kind of dump did they get?
Again, so, what is this then?
Is this maybe test data of Myspace left on some server for the developers to play with (it happened to other companies) ?
Or it may just be a fake.
I tried to change my secure 13 chars password containing letters (small and capital), numbers and characters with something which appears in the screenshot from LeakedSource: 123456
It worked!
The only restriction is the size: the minimum size of the password is 6 characters, no matter which and there is no check about what is being written.
How careless !
Conclusion
The future will tell us if this data is true or not and probably how the sellers got their hands on it.
Until then, if you are an potentially affected user, please change your password with a secure one.
© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch
Ionut Arghire of SecurityWeek wrote a very good article about the potential breach of Myspace.com: 427 Million MySpace Passwords Appear For Sale (http://www.securityweek.com/427-million-myspace-passwords-appear-sale) and I was quoted a lot! Thanks, Ionut!