Award-winning news, views, and insight from the ESET security community

Myspace data breach: 360 million accounts affected

Myspace has revealed that it was the victim of a data breach. The incident took place a few years ago and is thought to have affected close to 360 million accounts.

Narinder Purba

Narinder Purba

01 Jun 2016  •  , 1 min. read

Myspace has revealed in an official announcement that it was the victim of a major data breach.

The incident took place a few years ago and is thought to have affected close to 360 million accounts.

Myspace’s technical security team confirmed that information that was being offered on an online forum is genuine.

The compromised data, which includes usernames, passwords and email addresses, was taken from its old platform. This was revamped in June, 2013.

Myspace, which is a Time Inc company, speculates that the cybercriminal behind this attack is an individual who goes by the moniker Peace.

This is the same person that is thought to be responsible for a  similar incident  at Tumblr , which bears all the hallmarks of the Myspace data breach.

The former social network giant has since invalidated all passwords belonging to accounts that were set up prior to 2013 and an investigation is underway.

“We take the security and privacy of customer data and information extremely seriously, especially in an age when malicious hackers are increasingly sophisticated and breaches across all industries have become all too common,” stated Jeff Bairstow, executive vice president and chief financial officer of Time Inc.

“Our information security and privacy teams are doing everything we can to support the Myspace team.”

Have I Been Pwned , which documents major data breaches, confirms the Myspace incident as the worst yet.

In second place is LinkedIn, which again is a historic incident , followed by Adobe.

Commenting on these recent revelations , the website’s founder, Troy Hunt, said: “There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related.”

Let us keep you up to date

Sign up for our newsletters

Related Articles

We Live Science

Kathryn Thornton: Correcting Hubble's vision | Starmus Highlights

Kathryn Thornton: Correcting Hubble's vision | Starmus Highlights

Digital Security

My information was stolen. Now what?

My information was stolen. Now what?

What is “Scam Likely”? Putting the phone down on unwanted calls

What is “Scam Likely”? Putting the phone down on unwanted calls

Share Article

Apt Activity Report

360 million Myspace accounts breached

The logo of Myspace, a social networking site founded in 2003 which was hugely popular prior to the rise of Facebook. A database of as many as 360 Myspace account details was offered up for sale on a hacker forum in May of 2016.

SAN FRANCISCO — Although Myspace is a mere shadow of its former self, users who had accounts on the once-mighty social networking site should be aware that their old information could be up for sale online.

Time Inc., which bought the social networking site in February, said Tuesday  names and passwords from more than 360 million Myspace accounts were compromised.

According to Time, the data was limited to usernames, passwords and email addresses from the platform prior to June 11, 2013, when the site was relaunched with stronger account security.

Moribund accounts potentially dangerous

Founded in 2003, Myspace was a popular social networking site that was particularly beloved by musicians looking to build a following. In its heyday it had as many as 75 million  users . But by 2008, had been eclipsed by Facebook as the largest social network worldwide.

Today, it is ranked 1,711 in popularity among sites in the United States, according to Alexa , a business analytics company now owned by Amazon.

But users who at one time had Myspace accounts could still be vulnerable if they haven't been practicing good password hygiene.

Multiple surveys have found that between 50% and 75% of U.S. Internet users have one password they use on most if not all of their online accounts.

Hackers know this and routinely create databases of stolen emails address and passwords, which they can try on different sites to see if they work.

For example, with a known link between the email address [email protected] and a password of Muppets4ever on an old Myspace list, a hacker might try the same user ID and password combination on newer sites such as Facebook, or a bank or an email account.

The number of user names and passwords in the breach is so large that even if 5% still work, “it’s still a significant number,” said Ryan Stolte, chief technology officer at Bay Dynamics, a San Francisco cyber security firm.

Criminal cyber attack rings are very organized about how they use the data the steal or buy on the cyber underground.

“They’ve got smart programs that can try variations of these passwords that will work and then they’ve got rooms of people typing in these passwords, kind of a password call center,” Stolte said.

Another danger is to former Myspace users is phishing emails. Spammers often use news of big breaches or dumps of old account information to try to trick the unwary into clicking on dangerous links. Users should beware of clicking on links in any emails purporting to be able to fix their Myspace breached info . 

Working on the problem

Myspace has invalidated the passwords of all known affected users and will notify them. It is also monitoring for suspicious activity that might occur on Myspace accounts, the company said.

"Our information security and privacy teams are doing everything we can to support the Myspace team," Jeff Bairstow, Time Inc. executive vice president and chief financial officer said in a statement.

The breach didn't affect any of Time Inc.’s systems, subscriber information or other media properties, the company said.

Several caches of old passwords and IDs from other online platforms have appeared for sale recently. Two weeks ago LinkedIn reset passwords for as many as 117 million users whose IDs had been stolen in a 2012 breach after they went up for sale online.

Millions of LinkedIn users told to change password