In another haunting hack from the past, Time Inc. has confirmed the theft of 427 million passwords from MySpace, the aging social networking site the media company acquired just three months ago.
The records were offered for sale on the dark web by the same hacker who posted for sale a trove of 117 million stolen LinkedIn passwords nearly two weeks ago. The posted price for MySpace credentials is 6 bit coins or about $3,200 at today’s rate.
The MySpace incident is tied to a June 11, 2013 hack, according to LeakedSource, while the LinkedIn episode dated back to 2012. LeakedSource is the same web site that confirmed the LinkedIn theft.
The important similarity of these dated incidents lies in the fact that hackers could use these recently posted stolen passwords to break into current accounts of victims who re-use passwords across many sites, including banking and health services.
The recent 2016 Verizon Data Breach Investigation Report showed that 63% of confirmed data breaches involved weak, default or stolen passwords.
Social media users made light of the aging passwords, including Paul Hosford, a reporter with the Irish media site thejournal, “If MySpace hackers have managed to get hold of my password, can they tell me what it is?”
But even past its prime, MySpace reports today 50 million visitors per month. On its blog, MySpace said the stolen passwords have been inactivated on its site, and it encouraged users to set new passwords on accounts where they used the same or similar password from their MySpace account.
LeakedSource reported that the MySpace passwords were stored in SHA1 with no salting, a process that makes decrypting passwords exponentially harder. MySpace confirmed the stolen data included user login data “from a portion of accounts that were created prior to June 11, 2013.”
Time Inc., which own titles such as Fortune and Sports Illustrated, acquired MySpace when it bought parent company Viant Technology in February. Terms of the deal were not disclosed, but at the time Time Inc. chairman and CEO Joe Ripp, said, “This acquisition is game changing for us.” Today, the change seems to be dealing with a major hack of private account data.
Since its heyday early in this century as the world’s largest social media site, MySpace was acquired in 2005 by News Corp. for $580 million and again in 2011 for $35 million by Justin Timberlake and Specific Media Group.
Source: SANS ISC SecNewsFeed @ May 31, 2016 at 03:39PM