360 Million MySpace Accounts Leaked Online

360 Million MySpace Accounts Leaked Online

Remember your MySpace account? The one you’ve forgotten your login to and hope no one ever finds because teenage angst should never be immortalised on the internet?

I’ve got some bad news for you; your login details have likely been leaked, along with 360,213,023 others.

Image: thelefty / Shutterstock.com

“MySpace.com was hacked,” LeakedSource revealed. The search engine specialises in leaked records, currently boasting a database of 1.6 billion acquired by “a combination of deep-web scavenging and rumor-chasing”.

“Tessa88@exploit.im” provided the MySpace database, which contained 111,341,258 usernames and 427,484,128 passwords. There were 360,213,024 records in total provided, each containing a combination of an email address, a username, one password and in some cases a second password.

The passwords were encrypted by Secure Hash Algorithm 1 (SHA1), a program designed by the United States National Security Agency which produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.

SHA-1 is “no longer considered secure against well-funded opponents”, with replacement recommended since 2015. Microsoft, Google and Mozilla browsers will stop accepting SHA-1 SSL certificates by 2017.

Not only were the passwords stored insecurely, they weren’t salted. A salt is randomly generated data that is added to passwords before encryption, making them much harder to crack.

So far we have passwords stored insecurely, not salted — and ridiculously simple. Keep in mind most of us created MySpace accounts at a time there wasn’t a whole lot of information about password security. Most were under 10 characters, all lower case characters, and well — take a look yourself at the top five.

MySpace Password Number Of Accounts
homelesspa (MySpace’s default) 855,478
password1 585,503
abc123 569,825
123456 487,945
myspace1 276,915

It’s like alist of “what not to do” — not that this breach is in any way user’s fault.

You can search LeakedSource to check if your details are among those leaked. “If your personal information appears in our copy of the MySpace database,” the site assures, “you may contact us and request to have it removed free of charge.”