Something weird is happening in the world of hacked data—a lot of it is turning up around the same time.
The phenomenon has Troy Hunt, the proprietor of data-breach search service Have I Been Pwned?, scratching his head. His site lets people see if they have indeed been “pwned” (victimized, in Internet-speak) in major hacks of online services, and he’s having a very busy time right now.
Last week Hunt uploaded the data from the massive LinkedIn (LNKD) breach (167 million victims). He’s just added data from breaches of adult-connections site Fling.com (40 million victims) and the Yahoo-owned (YHOO) blogging service Tumblr (65 million victims), and he will soon help people check if they were caught in the gargantuan Myspace hack (360 million victims).
Get Data Sheet, Coins2Day’s technology newsletter.
Yes, there are other big breaches in there from a while back—the Adobe (ADBE) breach includes 152 million users’ details, and then there’s the notorious Ashley Madison breach—but the current spate is something else.
“It’s an interesting situation,” Hunt told Coins2Day. “It makes me wonder how much more is out there.”
The common link between the LinkedIn, Fling, Tumblr and Myspace breaches is that the data from them has all recently appeared on underground data markets, being offered up by the same individual, a hacker called “Peace.”
“Is this an individual who’s connected to the attacks, or is it an individual who has acquired this data from other sources?” Hunt said. “I’m more inclined to say the latter, because we are looking at different sorts of incidents over a very long timeframe.”
(In a Tuesday blog post, Myspace said it believed Peace was responsible for its breach, as well as the attacks on LinkedIn and Tumblr.)
Hunt is pretty sure that the Myspace data, for example, dates back to somewhere between mid-2008 and early 2009. This is based not only on the fact that user details include a very high proportion of Yahoo webmail addresses, which have these days given way to Gmail (GOOG), but also reports from old Myspace users. Hunt found that people who created Myspace accounts in late 2007 were included in the breach, while someone who created an account in late 2009 was not.
As it happens, this was around the same time as Myspace had peaked and was starting to lay off scores of workers. With that in mind, along with the facts that there’s around 33 gigabytes of data in the stash and bandwidth wasn’t as cheap as it is today, Hunt said he was “wondering if it’s an insider kind of job” rather than someone exfiltrating the data through the Internet.
The Fling breach dates back to 2011, the LinkedIn leak took place around 2012 and Tumblr around 2013. Fling is a very different kind of website from the others (we suggest you don’t look it up from work). In short, data from all over the place is showing up at the same time.
For more on hacking, watch our video.
From using Hunt’s service (and querying the Myspace data, I know that I’ve personally been caught up in four major breaches: Myspace, Adobe, LinkedIn and Tumblr. I didn’t even remember I had a Tumblr account (it has only one test entry)—and that’s a common problem.
“It’s reflective of the reality that we’re a couple decades into the modern Internet,” said Hunt, who was also surprised to learn that he had a Tumblr account. “It’s curious that these are such disposable transitional assets that we have. I’m sure I may have created a Tumblr account, but it’s not in my password manager, which dates it back to [at least] five years ago.”
“It’s one thing to try and remember where you have to change your password, and another to remember which sites [you’re signed up to] in the first place.”