Late last week, Myspace discovered that user login data (those usernames and passwords, and, in some cases, secondary passwords as well) were up for sale in an “online hacker forum.” Myspace says it believes the hacker responsible goes by the name of “Peace,” and that he’s also responsible for therecent hacks of Tumblr and LinkedIn.
Importantly, according to the hack-tracking site LeakedSource, the intrusion itself took place in June of 2013, before MySpace transitioned from failed social network to failed music marketing platform. That means that even if you haven’t used MySpace in years, you still could be vulnerable.
More people than you might think!
“Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk,” writes Myspace in a blog announcing the hack. It may be hard to remember now, but Myspace was once hugely popular, as evidenced by LeakedSource’s findings that 360,213,024 user records are in the data set—111,341,258 of which have an associated username.
As for current users, Myspace says it has increased its security significantly since 2013, specifically by using “double salted hashes,” which makes it much harder to crack passwords even if they’ve been breached. If you joined Myspace after its 2013 relaunch, you should be clear, and also what’s it like over there? Let us know in the comments.
How Serious Is This?
It’s pretty serious. It’s unlikely that anyone will break into your zombie Myspace page; the company has invalidated user passwords for all affected accounts, and didn’t store credit card or other financial info anyway. The bigger worry, though, is that MySpace didn’t protect passwords with much rigor prior to 2013, meaning that if you use the same username and password combo on any other sites today as you did for social networking in 2007, you’re at risk.
It’s also concerning just for the sheer volume of the hack; if LeakedSource is correct, this would be one of the largest breaches ever. That it comprises mostly old Myspace accounts also presents another problem: Who remembers the password they were using several years ago on a long-ignored platform? It’s hard to change a compromised password if you don’t even know what it is, which means that to feel truly safe, you should probably change any password you’ve been using for a long time across multiple services. Also, stop using the same password across multiple services. Seriously, stop.