Pierluigi Paganini May 28, 2016

The hacker Peace is offering for sale hundred Million stolen MySpace Passwords on the black marketplace. This is one of the greatest leaks of ever.

A few days ago a hacker with the nickname “Peace” offered for sale on the black market 117 million LinkedIn account credentials.

The same hacker is offering for sale 360 million emails and passwords of MySpace users, an amazing amount of data, one of the largest password leaks of ever. Peace is offering the precious archive on The Real Deal for 6 Bitcoin (roughly $2,800, the data includes the stolen passwords and emails.

It is still unclear the source of data, but according to the LeakedSource service the archive is related to a past and unreported security breach.

LeakedSource is a search engine capable of searching over 1.6 billion leaked records obtained with the aggregation of data from hundreds of disparate sources.

Stolen records include username, primary password, email address, and for some users a second password.

“MySpace.com was hacked. LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data.” states a blog post published by LeakedSource

“This data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password, total is below). “

It seems that MySpace did not respect best practice for password management. The MySpace passwords were stored in SHA1 with no salting. As usual, these data breaches reveal the bad users’ habit in password management, very few passwords were over 10 characters in length and nearly none contained an upper case character.

LeakedSource is expected to crack almost all the MySpace Passwords in the leaked archive in a few days.

Source LeakedSource

According to MotherBoard, that was one of the first to publish the news, the MySpace Passwords are being circulated in the underground by other hackers as well.

Journalists at Motherboard, tried to verify the authenticity of the leaked MySpace Passwords, they decided to contact Peace to verify a number of account credentials belonging to their staffers.

“Neither Peace nor LeakedSource provided a sample of the hacked data. But Motherboard gave LeakedSource the email addresses of three staffers and two friends who had an account on the site to verify that the data was real. In all five cases, LeakedSource was able to send back their password.” reported Motherboard.

MySpace did not respond to multiple requests for comment, meantime is you are a MySpace user don’t waste time and change your password-

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

Pierluigi Paganini

(Security Affairs – MySpace passwords, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]