Myspace, the once popular social network, is relevant again for reasons you might not expect. The site recently discovered that user login data (including usernames, passwords and secondary passwords) were being sold on The Real Deal, and darkweb marketplace. Initial reports claim that the hacker responsible is “Peace,” who, if you don’t remember, was responsible for the Tumblr and LinkedIn hacks.
So how serious is the Myspace hack? The scope is enormous; 360 million user records and 427 million passwords were stolen. This makes it one of the biggest breaches in history by way of sheer volume.
So what information was involved? Myspace had this to say about the hack: “Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk. As you know, Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and Myspace username and password.”
And what are the implications of breach for the average user? While the chances of anyone breaking into your zombie Myspace page are low, the breach is not to be taken lightly. Stolen credentials still fetch a high price in the cybercriminal economy because password reuse is so common. 70% of internet users admit to using the same password for the business email and social media accounts, meaning this breach can still make waves beyond Myspace.
Many brute force tools, any program built to automatically try thousands of password combinations against a given username or email, allows the user to enter keywords or known passwords (such as birthday, dogs name, street address, or other common elements used in a password). This gives the tool a point of reference from which it can begin to auto-generate password combinations. If a variation of your old Myspace password — adding a special character or capitalizing the first letter — was reused anywhere, a brute force tool in combination with this list of breached credentials could crack into an account in a matter of seconds.
Myspace, although they were not aware of the breach until recently, did attempt to increase their site security in 2013. In the wake of the Myspace hack, Myspace assured its users of their security: “as part of the major site re-launch in the summer of 2013, Myspace took significant steps to strengthen account security.”
What kind of “significant steps” exactly has Myspace taken? Myspace is “currently utilizing advanced protocols including double salted hashes (random data that is used as an additional input to a one-way function that “hashes” a password or passphrase) to store passwords. Myspace has taken additional security steps in light of the recent report.” Lets hope that the additional security steps are enough to defend against the modern cybercriminal.
While any breach is a problem, the sheer volume of the Myspace hack makes it one of the most significant breaches ever. Also, the fact that the hack is comprised of mostly old Myspace accounts also brings up another problem: who remembers their old password? Especially one from a long-ignored platform. As you could have guessed, the most popular passwords on the list included “password1,” “abc123,” and “123456.”
Our recommendations are simple and far from revolutionary: update your passwords to something stronger (longer and more complex), enable two-factor on everything and get a password manager. You’ve heard it before and you’ll hear it again. Unlike Myspace, being secure online will never go out of style.