There’s an oft-repeated adage in the world of cybersecurity: There
are two types of companies, those that have been hacked, and those that
don’t yet know they have been hacked.
MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well.
It’s unclear when the data was stolen from MySpace, but both the hacker, who’s known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it’s from a past, unreported, breach.
Neither Peace nor LeakedSource provided a sample of the hacked data. But Motherboard gave LeakedSource the email addresses of three staffers and two friends who had an account on the site to verify that the data was real. In all five cases, LeakedSource was able to send back their password.
The database contains 427,484,128 passwords, but there are only 360,213,024 million emails, according to LeakedSource, which announced the leak on Friday in a blog post. Each record in the hacked dataset contains “an email address, a username, one password and in some cases a second password,” according to the site.
Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password),” wrote LeakedSource, which provides subscribers, who pay between $2 a day to $265 a year, with access to what the site claims is a collection of more than 1.6 billion hacked or leaked records.
LeakedSource wrote that the data was provided by someone who goes by the alias Tessa88, but in an interview with Motherboard, an operator for the site said they were unaware of the real origins of the data breach, such as who originally breached MySpace, nor who has had the data “this whole time” or when the company was hacked. But this data was bound to leak eventually, they said.
“It's the nature of information. ‘Three can keep a secret, if two of them are dead,’” the operator told me in an online chat. “Once data gets traded a few times, eventually it will make its way to somebody who is not trustworthy to keep it a secret, and then it will spread like branches of a tree.”
MySpace did not respond to multiple requests for comment.
The passwords were originally “hashed” with the SHA1 algorithm, which
is known to be weak and easy to crack, LeakedSource wrote. What’s
worse, the company didn’t “salt” the passwords in the hashing process.
Salting means adding a series of random bytes to the end of passwords
before hashing them to make them harder to be cracked.
That’s why LeakedSource’s operator told me they expect to crack 98 or 99 percent of them by the end of the month, though the operator declined to say how many have been already cracked.
While the social network, which was one of the largest site on the internet more than 10 years ago, is now just a shell of its former self, this is still a significant hack. The site, which recently boasted about crossing the threshold of one billion registered users, still had a reported 50 million unique visitors per month as of last year.
MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well.
It’s unclear when the data was stolen from MySpace, but both the hacker, who’s known as Peace, and one of the operators of LeakedSource, a paid hacked data search engine that also claims to have the credentials, said it’s from a past, unreported, breach.
Neither Peace nor LeakedSource provided a sample of the hacked data. But Motherboard gave LeakedSource the email addresses of three staffers and two friends who had an account on the site to verify that the data was real. In all five cases, LeakedSource was able to send back their password.
The database contains 427,484,128 passwords, but there are only 360,213,024 million emails, according to LeakedSource, which announced the leak on Friday in a blog post. Each record in the hacked dataset contains “an email address, a username, one password and in some cases a second password,” according to the site.
Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password),” wrote LeakedSource, which provides subscribers, who pay between $2 a day to $265 a year, with access to what the site claims is a collection of more than 1.6 billion hacked or leaked records.
LeakedSource wrote that the data was provided by someone who goes by the alias Tessa88, but in an interview with Motherboard, an operator for the site said they were unaware of the real origins of the data breach, such as who originally breached MySpace, nor who has had the data “this whole time” or when the company was hacked. But this data was bound to leak eventually, they said.
“It's the nature of information. ‘Three can keep a secret, if two of them are dead,’” the operator told me in an online chat. “Once data gets traded a few times, eventually it will make its way to somebody who is not trustworthy to keep it a secret, and then it will spread like branches of a tree.”
MySpace did not respond to multiple requests for comment.
That’s why LeakedSource’s operator told me they expect to crack 98 or 99 percent of them by the end of the month, though the operator declined to say how many have been already cracked.
While the social network, which was one of the largest site on the internet more than 10 years ago, is now just a shell of its former self, this is still a significant hack. The site, which recently boasted about crossing the threshold of one billion registered users, still had a reported 50 million unique visitors per month as of last year.
Комментариев нет:
Отправить комментарий