News: MySpace is apparently next, with more than 360 million emails and passwords reportedly stolen.
A mega breach has hit popular social media networks MySpace and Tumblr, with hundreds of millions of hacked accounts reportedly on sale via the darknet.
Following the much publicised LinkedIn breach, which saw 117m stolen emails and passwords up for sale on the Dark Web, it has been reported that a staggering 65 million Tumblr accounts are also now being advertised for sale online.
Although Tumblr admitted to the data breach on May 12, the scale of the hack was not disclosed. The database which was compromised included email addresses and passwords, although the latter are heavily protected due to Tumblr having salted and hashed the passwords – a procedure which turns passwords into different strings of digits, effectively making it impossible to restore a password so that is usable again.
According to a hacker known as Peace and cited by Motherboard’s Lorenzo Franceschi, due to the passwords being unusable, the remaining data – emails – are being sold for as little as $150 on darknet marketplace The Real Deal. However, as Matt Middleton-Leal, regional director, UK & Ireland at CyberArk argues, emails without passwords can be just as damaging to a user’s digital life.
"Personally identifiable information is a high value commodity for hackers; anything that helps to build a complete picture of a person can be far more valuable than credit card numbers. So the ability for hackers to use the leaked emails to tease out more information about individuals via phishing techniques is the concern, as other areas of their digital lives may then be at risk. Many of our online account passwords are the same or similar, so learning which one opens up other doors will be their chosen tactic."
The scale of the data breach came to light when Troy Hunt, a security researcher who runs the Have I Been Pwned site, obtained a copy of the stolen data. According to Hunt’s analysis, 65,469,298 Tumblr accounts have been breached, with significant trends and patterns surfacing due to the breach.
Hunt finds that it is interesting that a spate of mega breaches at LinkedIn, Fling, Tumblr and MySpace have all been recently disclosed, yet the actual breach in each case dates back a number of years. There is also the size of breach and the short space of time in which they are appearing, with Hunt saying: ‘These 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.
"Then there’s the fact that it’s all appearing within a very short period of time – all just this month. There’s been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can’t help but wonder if they’re perhaps related."
When it comes to MySpace, the Tumblr breach may pale in comparison. News site Motherboard has reported that the hacker known as Peace alongside an operator of LeakedSource claims to have 360 million emails and passwords of MySpace users. If true, this could be one of the biggest breaches and leak of passwords ever. However, as no data sample has been provided it is hard to verify the scale of the supposed breach. The data is, however, reportedly now up for sale on dark web market The Real Deal, with an asking price of 6 Bitcoin for the stolen passwords and emails.
In a statement, MySpace said: Email addresses, MySpace usernames, and MySpace passwords for the affected MySpace accounts created prior to June 11, 2013 on the old MySpace platform are at risk. As you know, MySpace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and MySpace username and password. In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013 on the old MySpace platform."
In the statement, MySpace also said that automated tools had been deployed to identify and block any suspicious activity, while also having informed law enforcement about the breach.
If there is a trend of mega breaches then the MySpace breach might be one in a long line of breaches yet to be disclosed. Troy Hunt said: "If this indeed is a trend, where does it end? What more is in store that we haven’t already seen? And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the "mega" category that are simply sitting there in the clutches of various unknown parties?"