Information of 427 million MySpace accounts leaked, selling as a package at the price of 2800 dollars in black market

Last week, paid search engine of hacker data LeakedSource revealed 427 million user credentials of MySpace were leaked. Parent company Time Inc admitted the data leakage of its micro blog server and repeated some details we have already known yesterday.

Many people may not remember MySpace, who in years ago was the biggest social media website in the world before Facebook dominated the market. However, this social media has become a shell of its former self today with serious security problem. The website recently boasted that the number of their registered users has made the breakthrough to a billion. But according to last year’s report, there were only 50 million unique visitors per month.

The company wrote in the brief announcement:

In this weekend of Memorial Day, we realized the stolen user data of MySpace was on sale in the online hacker forum. The stolen data involved with part of data created in the former MySpace platform before June 11 2013. We firmly believe this leak was initiated by the Russian hacker organization Peace. There were the same attack behavior as in recent network attack of LinkedIn and Tumblr. We are now actively conducting an investigation. Any newly found clue will be published in time.

Leaked data on sale in black market

Same as data leak incidents of LinkedIn and Tumblr, backstage manipulator of this incident is Peace. When they stole the data from MySpace is still unknown. But the statements of the hacker and an operator from LeakedSource (paid search engine of hacker data) are consistent. The operator said there was evidence showing the reason for this data leakage was an unreported loophole.

Last Friday Afternoon, a hacker claimed to be Peace wanted to sell data of stolen passwords and accounts from MySpace in the online black market The Real Deal at the price of 6 bitcoin (about 2800 dollars).

LeakedSource said they obtained the information which contained passwords of 427,484,128 users from an anonymous user Tessa88@exploit.im of the instant messaging server Jabber. But not all the data could match with the accounts. Some of them were set with a second password while some only had a second password instead of master password.

What’s more, LeakedSource also mentioned that all the leaked data was stored and encrypted in SHA-1, which was the same as LinkedIn case, and it has weak performance. The company not doing “salt” to the passwords in the hash process has made the matter even worse, which means random bytes were not added to the end of passwords in order to make it unbreakable before the hash process. Therefore, analysts of LeakedSource were able to break most of the content. They were expected to break 98% to 99% of the code at the end of the month. But they refused to reveal how many they’ve already broken.

At present, neither Peace nor LeakedSource provided the sample of stolen data. In order to confirm the correctness of data, Motherboard once submitted email addresses of three employees and two employee’s friends who used the address to register on MySpace and LeakedSource responded with the correct passwords to each email address.

According to the data, the most commonly used passwords of MySpace account are as follow:

The most commonly used email domains of MySpace are as follow:

If the data above is all correct and from MySpace, this will be the largest scale of data leakage in the history and rank first in the data leak consciousness website Have I Been Pwned.

For users, it may be risky even if you abandon the account for it still contains personal data and can be used in other network attack. If you have MySpace account, the important thing is to change the password. Besides, if you use the same password in other sensitive network service, change it as well.

Data leak history of Sina, Renren and Tianya

The threat of data leakage has become increasingly serious. Except for foreign websites, many domestic social networking sites have been hacked like Sina Weibo, Tianya and Renren.

In the end of 2011, 40 million users’ information of Tianya has been leaked. Accounts, passwords and email addresses are all saved in clear texted and spread on the internet. The information was preliminary confirmed as validated.

Also in the end of 2011, 5 million of Renren data was leaked. Databases were published on the Internet for download.

4.76 million accounts and passwords of Sina Weibo were published for download.

The great amount of leaked user information not only involves with personal privacy but also can be used to spread malware. Website, individual user and enterprise all can be victim of this kind of malware. How to protect user data security will become one of the most important factors of enterprise competitive power in the future.

Article source: FreeBuf