MySpace hack: 33GB file containing more than 360 million user accounts leaks online

A huge 33GB dataset containing more than 360 million account credentials from MySpace.com, the former heavyweight of social media, has surfaced online. The trove of data, which upon analysis appears to date to 2008 and 2009, holds a massive 360,213,024 records reportedly featuring email addresses, usernames and passwords.

The breach, which was first revealed on LeakedSource, a website that collates compromised credentials, consists of 427,484,128 passwords in total – an inflated number due to roughly 68 million accounts also having a secondary password attached. Of the 360m-plus accounts, 111,341,258 come with a username attached.

According to an initial assessment of the data, passwords were stored in SHA1 with "no salting". A researcher said: "We noticed that very few passwords were over 10 characters in length [in the thousands] and nearly none contained an upper-case character, which makes it much easier for people to decrypt."

The passwords in the breached data were suitably weak and included 'password1' (585,503 instances), '123456' (487,945) and 'abc123' (569,825).

The compromised information has since appeared on a dark web-based marketplace called The Real Deal.

A vendor under the pseudonym 'Peace', who in the past has also posted millions of accounts from breaches at Fling.com and LinkedIn, listed the accounts for a total of six bitcoin, which is equivalent to £2,200 ($3,200) at the time of writing.

In a statement posted on 31 May, Myspace acknowledged the breach and blamed the incident on Peace - who it branded a "Russian cyberhacker." The firm admitted: "Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk."

It continued: "As you know, Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users' email address and Myspace username and password." Myspace said law enforcement has been informed and will now investigate the "criminal act."

Dating the breach

Based on fresh analysis from independent security researcher Troy Hunt, who operates breach notification website HaveIBeenPwned.com, the hacked MySpace data is from "mid-2008 to early 2009".

Upon inspection, Hunt found three major email providers were used to sign up to the platform at the time the breach occurred: Gmail (25,190,539 accounts), Hotmail (79,747,196 accounts) and Yahoo (126,053,251 accounts).

By comparing the dataset to the information recently compromised from LinkedIn, Hunt was able to begin to date the data – one piece of information that was glaringly absent from previous reports.

"There are likely some interesting insights to take away from the passwords alone, but it's the email addresses that can help us actually date the thing," he said.

"What we need to remember with Gmail is that they're a relatively new player. They entered private beta in April 2004 and didn't hit the mainstream until February 2007. There are still 25m accounts in the MySpace data, so the incident certainly happened after that early 2007 timeframe."

After contacting a number of people who confirmed being in the leaked dataset, Hunt was able to further narrow down the window of when the breach took place. By comparing the percentage of emails compromised from each provider in the LinkedIn incident, Hunt found Gmail was the most common. "Keep in mind that LinkedIn was hacked in May 2012 so now we have a window somewhere between then and 2007," Hunt said, noting that MySpace started running into significant difficulties from mid-2008.

He added: "It may be that the incident occurred after 2008, but I doubt it was much later as they were still getting registrations and they would have been very heavily Gmail biased by that time."

Hunt told IBTimes UK the leaked data is now in the process of being uploaded into HaveIBeenPwned.com, which will allow users to search the trove of data to check if their credentials are included in the leak.

Since its fall from grace after being dethroned by social goliath Facebook, MySpace has made an attempt at resurrection. In November last year, as reported by Vice.com, the platform claimed to have clawed back one billion registered users.

At the time, Tim Vanderhook, chief-executive of MySpace parent company Viant, said the company often relies on its vast collection of email addresses to tailor communications with users. "Our strategy is really simple," Vanderhook said. "Every time we have something relevant to say or offer, we leverage our archive of registered users and email aggressively.

"We can simply send an email to a billion users at a moment's notice when we're ready to launch something and entice them to check out what we're offering. And with the information we possess on people, we have a much greater ability to reach out and be relevant to them again." Now, it seems, this feature may have to be used to send a significant amount of breach notification letters.

At its peak, MySpace was attracting roughly 100 million monthly users. In 2005, News Corp, which is owned by media mogul Rupert Murdoch, bought the platform for $580m (£396.2m, €519.6). In 2011, the platform was sold again for a much-decreased sum of $35m.

This article was updated on 16:48 pm 31 May to insert a statement from Myspace.