Article Lead Image

Photo via Mark Skipper/Flickr

More than 427 million MySpace passwords might have just been leaked

This definitely isn't in anyone's top 8.


AJ Dellinger


Posted on May 27, 2016   Updated on May 26, 2021, 5:06 pm CDT

There may finally be a reason to return to your MySpace account, but it’s not because Tom’s old social network is back in vogue; more than 427 million passwords have reportedly been stolen from the site.

According to LeakedSource, a paid hacked data search engine, the web’s social network of choice appears to have been the victim of the largest database leaks ever recorded. LeakedSource is currently hosting a database of 427,484,128 passwords and 360,213,024 million email addresses that have been linked to MySpace.

The information was brought to LeakedSource by a user who goes by the alias Tessa88. A member of LeakedSource told the Daily Dot that Tessa88 is not believed to be a hacker, but rather just a user who either happened upon or collected the data. The member said that the collective “are not hackers, just scavengers. If we get a dump, that means someone else has it as well.”

In that sense, the data possessed by LeakedSource resembles the massive trove of 1.7 billion credentials to popular email providers or the 127 million compromised LinkedIn accounts also hosted by LeakedSource, both discovered earlier this month.

The difference in the case of MySpace is the apparent hack went entirely unreported. LinkedIn made its users aware of a hack in 2012, and none of the email services had unreported leaks. MySpace never made its users aware that their accounts may have been compromised, either intentionally to hide the breach or because the site just never knew about it.

A member of LeakedSource said that it currently doesn’t know the exact date of the breach, but it’s searching and plans to update its blog with additional information if available. LeakedSource has contacted MySpace regarding the hack, but hasn’t made contact yet. The Daily Dot also reached out to MySpace for comment but didn’t receive a response at the time of publication.

Without MySpace’s direct cooperation, LeakedSource has attempted to confirm the validity of the dataset independently. “We contacted friends of ours who used the site and asked if we could confirm their info,” a member of LeakedSource said. “They agreed and after providing them with the information, we have confirmed this was the info they used for MySpace.”

The passwords from the MySpace database were stored in SHA1, a secure hash algorithm that researchers have suggested has outlived its usefulness and should be retired. There was also no “salting” of the passwords, a practice that typically makes passwords harder to decrypt. LeakedSource noted very few passwords were more than 10 characters in length and next to none of them contained an uppercase character, both common practices suggested to create stronger passwords.

A LeakedSource member told the Daily Dot that it suggests those effected by the breach to change their password immediately—a task easier said than done if it’s been years since last logging into the social network.

LeakedSource is hosting the information on its website and has made it searchable so that users can check if they appear in its database—a feature similar to security expert Troy Hunt’s service Have I Been Pwned. Users who find their personal information in the database can contact LeakedSource to have it removed.

According to a LeakedSource member, the purpose of the service is “to give users the ability to search and find if their data is available online.” Its searchable database now spans more 1.6 billion leaked records, gathered from hundreds of sources.

The site recently launched a new application program interface (API) for business use that is designed to help businesses determine if any of their users have been compromised. A LeakedSource member said the service will help companies improve their user security. 

The member pointed to instances like Netflix and Spotify, both regular targets for hackers who sell accounts for “dirt cheap” on black markets. “With use of our API, said company would be able to notify those users who are compromised,” the LeakedSource member said.

H/T Motherboard

Share this article
*First Published: May 27, 2016, 9:04 pm CDT