A hacker has breached the social media site MySpace and made off with a cache of old user logins, the company confirmed on Tuesday. The breach did not impact the systems of parent company Time Inc., nor did it include subscriber information or financial data.
All of the email addresses and passwords are from before 2013, when the company rolled out new security measures.
Last week, a hacker known as “Peace” offered 360 million MySpace user logins for sale on the dark web. MySpace on Tuesday said it believed the breach was correctly attributed to the Russian cyber criminal but did not confirm the number of exposed accounts.
If the 360 million figure is confirmed, it would be the largest such breach ever recorded.
As with the 117 million LinkedIn records recently exposed by the same hacker, the MySpace data was poorly secured, according to a hacked data search engine called LeakedSource.
Although the exposed passwords are encrypted, they were protected with a weaker algorithm that makes them easier to crack. The passwords were “hashed” — converted to a string of numbers — but not “salted,” which adds a few random characters specific to each user to the end of every password.
A LeakedSource operator told Motherboard they expect to crack 98 or 99 percent of the passwords by the end of the month.
MySpace said Tuesday that it now uses double-salted hashes to store passwords.
The stolen LinkedIn data was also from an old hack. It originated from a 2012 breach that turned out to be much larger than originally thought.
Around 6.5 million passwords were posted online when the breach occurred, although LinkedIn never confirmed the scope of the hack. The company rolled out a mandatory password reset for all accounts it believed were compromised.
But this month, a LinkedIn spokesman said the 6.5 million passwords originally released were not necessarily all of the stolen data.
MySpace has invalidated the passwords of all the known users impacted by the breach and is in the process of notifying victims.