The biggest news in security this week is surprisingly several years old. Recently, the stolen login credentials and passwords for 360 million Myspace users, 65 million Tumblr users, and 40 million Fling users has been put up for sale on the dark web by a hacker named “Peace”, the same individual who is selling 167 million LinkedIn users’ data, according to Fortune.
The website Have I Been Pwned allows users to enter their email address and see if their information is part of a data breach. Also, the website keeps an updated list of the largest internet breaches to date. Last week, Myspace soared to the top of the list, surpassing some of the largest breaches including Ashley Madison and LinkedIn.
Troy Hunt, creator of Have I Been Pwned told Fortune magazine, “It’s an interesting situation. It makes me wonder how much more is out there.”
Experts are working to get to the bottom of the attacks. They want to know when the sites were hacked and who did it. Hunt believes that several individuals perpetrated the attacks while one individual (Peace) simply acquired the information.
“Is this an individual who’s connected to the attacks, or is it an individual who has acquired this data from other sources?” Hunt said. “I’m more inclined to say the latter, because we are looking at different sorts of incidents over a very long timeframe.”
Myspace, on the other hand, wrote in a blog post that they believe Peace is solely responsible for the attacks. They believe that users who had accounts prior to June 11, 2013 are included in the breach so they have invalidated all passwords for the affected accounts. The linked blog above gives users the instructions to reset their passwords.
Hunt, however, believes that the data dates back to mid 2008 and early 2009 because people who created accounts in 2007 were included in the breach but those who created accounts in late 2009 were not. Either way, if you have a Myspace account at all, you should change your password.
Unsurprisingly, the most popular passwords included in the breach include “password1”, “abc123”, and “123456.” Since Myspace is an older site and one that may not be used often, the real danger lies in the sharing of passwords across sites. If your Myspace, Linkedin, Tumblr, or Fling password is the same as other accounts, you need to do a complete password overhaul immediately.
Hunt expects to see more large site hackings come to light. “Even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?” he said.
It’s becoming more and more clear that security is a goal that keeps evading our grasp. Nevertheless, we must do everything we can to continue moving towards that goal.