Tens of millions of Myspace, Tumblr login credentials for sale online


If you used to spend time on Myspace or Tumblr, there’s a good chance your login credentials — your user name, email address and in many cases your password — are available to anyone who wants to buy them as part of a package deal.

Security researchers recently discovered more than 360 million Myspace credentials in an online forum for hackers and another 65 million Tumblr credentials in a marketplace on the dark web, according to published reports. Both are requiring affected users to change their passwords, but the stolen credentials could be a danger to consumers who use the same users names and passwords on multiple sites.

Both sets of credentials appear to come from hacking attacks that took place in 2013 or earlier, so they don’t include more recently created accounts. The Myspace data is potentially more problematic, and not just because of the larger size of the breach.

Indeed, the 360 million figure actually understates the breach’s size, because many of the Myspace accounts listed more than one password. If you include the more than 68 million secondary passwords — and omit the few accounts that only listed a secondary password and not a primary one — the Myspace trove had some 427 million passwords within it.

Even worse, passwords within the cache used on the site were apparently stored in the clear and are accessible in the hacker database were easily cracked because they were reportedly encrypted using an obsolete technique.

By contrast, passwords in the Tumblr cache were “salted” and “hashed” — a process that adds random data to passwords and then cryptographically scrambles them, making them harder to crack.

Time, which now owns Myspace, on Tuesday acknowledged the breach that led to the loss of the credentials. The company became aware of the data “shortly before” the Memorial Day weekend, the company said. The company is notifying affected users and monitoring activity on the site, it said.

“We take the security and privacy of customer data and information extremely seriously,” Jeff Bairstow, Time’s chief financial officer, said in a statement. “Our information security and privacy teams are doing everything we can to support the Myspace team.”

Yahoo-owned Tumblr acknowledged its breach earlier this month, but didn’t disclose how many accounts were affected. On Monday, Motherboard, citing security researcher, Troy Hunt, put a number on it: 65,469,298 unique accounts.

The breaches are only the latest examples of wide-scale security compromises. Earlier this month, for example, LinkedIn acknowledged that a 2012 breach was much bigger than it initially reported, with some 117 million passwords compromised.

Hunt runs a website called “Have I Been Pwned” that allows web users to see if their credentials have been compromised in one or more of the recent breaches.

Above: Myspace logo (courtesy of Myspace)


Tags: , , , , , ,


Share this Post

  • EllaFino

    Email information is probably the only thing worth in hacking Tumblr.