Cybercriminals Crack into 360 Million Old Myspace Accounts

By on Jun 03, 2016

It’s easy to create online accounts, and it’s just as easy to forget them. Remember Myspace? The early social media network existed before Facebook, but even those who spent a lot of time on it may have forgotten all about it. That’s why a recent breach on Myspace that exposed 360 million people’s accounts is a serious blast to the past.

Time Inc., the owner of Myspace, confirmed in late May that a cybercriminal is attempting to sell 427 million passwords stolen from the early social network’s database. The breach, the company said, affects as many as 360 million users, and may very well be the biggest breach in history so far. The seller, who goes by the alias “Peace,” is fielding the stolen goods for $2,800.

Now, this breach does offer us some insights into the long-term impacts our digital footprints can have. For example, many people hadn’t thought about, or visited, Myspace in years. Nevertheless, user emails and passwords were maintained on the network’s servers, which were compromised. The same can go for any service. When you stop and consider all of the old, defunct or forgotten services you’ve registered for, it adds up to a lot of potential security issues.

When we create, and then neglect, online accounts, outdated security can create opportunities for cybercriminals. For example, Myspace’s legal department told users via email, “data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform.”  What this means is that in June 2013, Myspace launched new security protocols, but it did not update them for accounts created before the 11th. Instead, they were stored with the older, less secure SHA-1 function.

To better explain, let me give you a quick run-through of basic cryptology. If companies store passwords in the same format as the users type them, breaches can become more dangerous. For example, cybercriminals could simply copy and paste passwords if they ever gained access to the data. That’s why companies use encryption to hash passwords. This means passwords are mixed up before being stored on a server. If someone breaks into the database, they then have to crack the jumbled code to obtain the real passwords. But hashing isn’t enough to protect passwords. So, companies began salting, or adding random data to passwords before hashing them. This combination of salting and hashing makes it difficult for criminals to both reverse-engineer the key code and discern genuine data from false data.

Let’s take this knowledge back to the context of the Myspace hack. While the company salted and hashed passwords after 2013, prior accounts were stored in an unsalted format. Those were the breached ones, and ultimately, the outdated SHA-1 function exposed Myspace users. The lesson here is that our forgotten, old accounts are not only subject to increased vulnerabilities, but they also create easier opportunities for cybercriminals to hack away.

At the end of the day, users can also be more responsible for their old internet profiles given increased risks over time. It’s too easy, and dangerous, to forget the digital trails we leave behind. Being aware of online accounts coming and going allows us to better protect ourselves from those exploiting accounts of our past.

With that in mind, here are some basic steps you can take to protect all stages of your online life:

  • Do maintenance on accounts and delete old ones. It’s a good idea to keep track of all online profiles you’ve registered. This makes it easier to periodically change passwords and check for suspicious behavior. Most importantly, delete old and unused accounts to tie up loose ends. 
  • Use different passwords for different services. If a cybercriminal breaches an old account, you won’t want them to have the master to key to all the services you use. Using different, complex passwords across accounts adds another layer of security.
  • Make sure companies are using up to date security practices. In the case of Myspace, the company did update security protocols, but not for accounts opened prior to a certain date. Always stay up to date on security practices of the services you use—and the ones you used to.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

gary

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Subscribe to McAfee Securing Tomorrow Blogs