Update: Time Inc. Confirmed the breach of MySpace in a statement Tuesday morning.
The details of millions of Myspace users seem to have been stolen in yet another major hacking incident, with their passwords being vulnerable to decryption—and apparently on sale now.
Yes, this musically-inclined social network may not be the hit it once was, but if you tend to reuse your passwords across sites and over the years, here’s yet another reason to switch them up.
The hack was reported on Friday by LeakedSource, the same searchable repository of hacked account information that recently added the details of up to 167 million LinkedIn (LNKD) users.
Get Data Sheet, Coins2Day’s technology newsletter.
According to Motherboard, a notorious hacker called Peace has put the Myspace data up for sale in an underground market, for the price of 6 bitcoins (around $3,200 at the time of writing). Peace did the same with the LinkedIn data, albeit at a slightly lower price.
There were 360 million user records in the Myspace stash, but only 111 million had usernames. (At its peak, around eight years ago, Myspace reportedly had 75.9 million regular users.) Other information in the records included email addresses and one or two passwords—the total number of passwords was just over 427 million.
I confirmed with LeakedSource that the database contains my old Myspace login details. The site gave me my unencrypted Myspace password (which I have now changed), showing how easily they were able to remove its protections.
“The methods Myspace used for storing passwords are not what internet standards propose,” a LeakedSource blog post read, describing the encryption as “very weak.”
The site’s administrators told me they know of “dozens of people” who have this dataset.
For more on hacking, watch our video.
They think it dates back years, but it’s not clear when the apparent hack took place, or who was responsible. LeakedSource’s operators deny hacking or condoning hacking, and say someone using the alias “Tessa88” passed them the database.
As security researcher Troy Hunt noted, indications arose a couple months back of people receiving spam emails to accounts they only ever used for Myspace:
This is interesting, note the date: https://t.co/6WKq620ytu
— Troy Hunt (@troyhunt) May 27, 2016
Interestingly, LeakedSource suggested that more than 850,000 of the accounts seem to have been automatically generated—they all shared the same password, “homelesspa,” and all had similar email addresses.
Https://twitter.com/LeakedSource/status/736332464881274880
As you can probably guess, the most popular real passwords in the stash are “password1,” “abc123” and “123456.” People, don’t do this.
Myspace itself had not provided any comment at the time of writing. Coins2Day‘s proprietor, Time Incorporated (TIME), bought Myspace parent Viant Technology earlier this year.
This article was updated to note that the author had confirmed his details were in the leaked database.