Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details

“Myspace was hacked” writes LeakedSource on their dedicated page for MySpace.com.

They do not add any kind of details about this hack except that they received a copy of the data from an email address (not from the hacker).

As a matter of fact, there is nowhere on the web any kind of details, not to even say proof, that this has indeed happened.

This includes Myspace’s site as well.

Leakedsource appears to be the only entity that knows something about these over 427 Mil passwords (for 360 Mil users).

But then, Leakedsource only retweets on their wall what two other websites have written about them. There is not a single commend written by them about this hack.
One of the articles even writes more details about some steps that Leakedsource took to check the validity of the data. If this is so, why is this not written in their blog?

If this is true, then I can’t imagine how come they miss the opportunity to write about the possibly biggest leak of accounts (email + password) of all times?

 

There is something wrong here. What is actually going on?

On one side, what I see there is a very entrepreneurial approach of a dealing with a possible hack.

Leakedsource offers payment packages ranging between $4 – $320 payable as Bitcoin or Paypal.

On other side, they give some details about the type of passwords used in the Myspace website. If they are true, you can only see these if you have the data.
Another source for this data in bulk is a TheRealDeal darknet shop user called Peace_of_mind. He sells the database dump in a plain text file for 6 BTC  (about $3100).

myspace-sell

Some math

The seller wrote that the database contains an email address, a username, a password and in some cases a second password. All hashed using SHA1, not salted (this is bad).

We have 35.3 GB of plain text data and according to the seller, this means 360,213,024 records.

This means 37,903,086,387.2 Bytes in total which gives us 105 Bytes per record (approximated).

A SHA1 hash is always 20 Bytes. So, we have 65 Bytes for username and email address. This is not enough!

According to LeakedSource, quoted by Vice.com (http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach),
“Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password),”

Myspace requires an username and an email address. You can’t have one without the other. And you can’t remove any of them either.

How can this be possible ?
What kind of dump did they get?

 

Again, so, what is this then?

Is this maybe test data of Myspace left on some server for the developers to play with (it happened to other companies) ?
Or it may just be a fake.

I tried to change my secure 13 chars password containing letters (small and capital), numbers and characters with something which appears in the screenshot from LeakedSource: 123456
It worked!
The only restriction is the size: the minimum size of the password is 6 characters, no matter which and there is no check about what is being written.
How careless !

 

Conclusion

The future will tell us if this data is true or not and probably how the sellers got their hands on it.
Until then, if you are an potentially affected user, please change your password with a secure one.


© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

1 Comment on "Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details"

  1. Ionut Arghire of SecurityWeek wrote a very good article about the potential breach of Myspace.com: 427 Million MySpace Passwords Appear For Sale (http://www.securityweek.com/427-million-myspace-passwords-appear-sale) and I was quoted a lot! Thanks, Ionut!

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close