Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years.
Time said earlier today that it first became aware shortly before Memorial Day weekend that stolen Myspace credentials were being made available in an online hacker forum. The data, which consists of usernames, passwords and e-mail addresses, was apparently swiped from the old Myspace platform – or in other words, prior to June 11, 2013, when the site was relaunched with strengthened security.
As of writing, Time says it doesn’t appear as though any financial data was compromised. What’s more, the breach does not impact any of Time’s other systems or subscribers.
Myspace is in the process of notifying affected users and is working with law enforcement in hopes of figuring out who was behind the attack. The site has also wiped all of the passwords of impacted users so at the very least, the data can’t be used to log into Myspace.
This is the second major security breach to surface this week in which the theft of data took place years earlier. Dated breaches like this may seem like less of a concern given their age but in fact, they present some unique challenges.
With data this old, it’s entirely possible that it has already been picked through before being made available on the black market. Furthermore, people weren’t quite as concerned with security and privacy in early 2013 as they are today meaning passwords were probably a bit less complex on average. Using the same password across multiple sites was also more common back then and it’s entirely possible that some haven’t gone back and changed passwords for older accounts they might not use as often these days, like Myspace.
The only real silver lining here is that yes, the data is old and is less likely to be up-to-date.
In a post on Myspace’s blog, the site says it suspects Russian hacker “Peace” is responsible for the attack, the same person that recently posted LinkedIn and Tumblr data on the underground market.
Neither Time nor Myspace would say how many accounts were compromised although a report from LeakedSource says the data set contains a whopping 360,213,024 records. Each “record” may contain a username, e-mail address, password and in some cases, a second password. The site notes that more than 68 million records had a second password attached.
The publication further reports that passwords were hashed and stored using SHA1 encryption without salting. As you may know, salting is a technique that makes it much more difficult to crack passwords. Worse yet, LeakedSource reports that very few passwords were over 10 characters in length and nearly none of them contained an upper case letter, making them even easier to decrypt.