Myspace has confirmed that it has fallen victim to hackers and has blamed the breach on a cyber attacker called 'Peace' from Russia.
LeakedSource revealed details earlier this week of a hack on Myspace that has seen the release of millions of presumably redundant account and password details. The site, which recently shamed LinkedIn, offers a searchable database for worried people to check their security status.
The Myspace database was provided by someone who goes by the alias Tessa88@exploit.im.
"LeakedSource does not engage in, encourage or condone unlawful entry ('hacking') into private systems," said LeakedSource.
"This data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password."
"The data stolen included user log-in data from a portion of accounts that were created prior to June 11 2013 on the old Myspace platform."
The firm goes on to blame the hack on a Russian hacker called 'Peace', who is also allegedly responsible for the recent high-profile hacks on LinkedIn and Tumblr.
"We believe the data breach is attributed to Russian cyber hacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine LeakedSource that the data is from a past breach," said Myspace.
"This is an ongoing investigation, and we will share more information as it becomes available."
While Myspace knows it's responsible, the firm should also hold itself accountable, as LeakedSource revealed that user passwords were stored in SHA1 with no salting. This is bad, but so are the passwords that were in use. You can probably guess what they are. The most common, for what it's worth, is 'HomelessPA', but the second is 'Password1'.
"We noticed that very few passwords were over 10 characters in length (in the thousands) and nearly none contained an uppercase character that makes it much [harder] to decrypt."
If you are still using one of these bad passwords, for crying out loud, change it. You can check to see whether you are affected on the LeakedSource database. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
LeakedSource revealed details earlier this week of a hack on Myspace that has seen the release of millions of presumably redundant account and password details. The site, which recently shamed LinkedIn, offers a searchable database for worried people to check their security status.
The Myspace database was provided by someone who goes by the alias Tessa88@exploit.im.
"LeakedSource does not engage in, encourage or condone unlawful entry ('hacking') into private systems," said LeakedSource.
"This data set contains 360,213,024 records. Each record may contain an email address, a username, one password and in some cases a second password. Of the 360 million, 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password."
Time Inc, which owns Myspace, has since spoken out about the hack.
"Shortly before the Memorial Day weekend, we became aware that stolen
Myspace user log-in data was being made available in an online hacker
forum," the company said."The data stolen included user log-in data from a portion of accounts that were created prior to June 11 2013 on the old Myspace platform."
The firm goes on to blame the hack on a Russian hacker called 'Peace', who is also allegedly responsible for the recent high-profile hacks on LinkedIn and Tumblr.
"We believe the data breach is attributed to Russian cyber hacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine LeakedSource that the data is from a past breach," said Myspace.
"This is an ongoing investigation, and we will share more information as it becomes available."
While Myspace knows it's responsible, the firm should also hold itself accountable, as LeakedSource revealed that user passwords were stored in SHA1 with no salting. This is bad, but so are the passwords that were in use. You can probably guess what they are. The most common, for what it's worth, is 'HomelessPA', but the second is 'Password1'.
The email addresses associated with
these passwords perhaps reflect the age of the data. The top domain is
Yahoo.com, followed by Hotmail, Gmail and AOL.com.
"Salting
makes decrypting passwords harder when dealing with large numbers of
passwords such as these. The methods Myspace used for storing passwords
are not what internet standards propose, and is very weak encryption.
Some would say it's not encryption at all. But it gets worse," explained
LeakedSource."We noticed that very few passwords were over 10 characters in length (in the thousands) and nearly none contained an uppercase character that makes it much [harder] to decrypt."
If you are still using one of these bad passwords, for crying out loud, change it. You can check to see whether you are affected on the LeakedSource database. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
Комментариев нет:
Отправить комментарий