Get the ECT News Network Weekly Newsletter » View Sample | Subscribe
Welcome Guest | Sign In
Ideoclick eBook

Myspace Crowned King of Mega Breaches, With More Likely to Come

By Richard Adhikari
Jun 1, 2016 10:02 AM PT

Myspace and Tumblr this week emerged as the latest in a string of mega breaches that resulted in the theft of millions of user IDs -- not just recently but years ago.

"Over the period of this month, we've seen an interesting trend of data breaches," wrote security researcher Troy Hunt, operator of the Have I Been Pwned website. "Any one of these four I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing."

The granddaddy of the bunch is the Myspace breach -- 360 million records have been offered for sale, Hunt said.

The LinkedIn data breach led to 117 million records being offered for sale. Dark web customers also have been invited to purchase 50 million records Tumblr account records and 40 million stolen from

The data for sale is listed by someone with the handle "peace_of_mind," who is "peddling a quality product," Hunt said.

It's not clear exactly how much data was stolen.

The Myspace breach may have involved as many as 427 million records, according to Sophos Senior Security Advisor Paul Ducklin.

Tumblr's exposure may have involved 65 million records, according to some reports.

Old Data Wine in New Bottles

None of the breaches connected to the records for sale were recent -- all occurred three or more years ago, Hunt pointed out.

It's possible "the people currently selling [the data] are acting as proxies and aren't the hackers themselves," noted Andrew Komarov, chief intelligence officer at InfoArmor.

The delay, the size of the breaches, and the fact that the stolen data was offered this month may indicate the hacks were related, Hunt noted.

How many more such mega breaches could yet surface? How many have not yet been publicized because the stolen data hasn't yet been offered on the market?

"We have information that the same hackers are preparing for the sale of data from a big social network from 2011 or 2012, along with many other resources," InfoArmor's Komarov told TechNewsWorld.

"It's not going to stop until we wise up, or until breach information is no longer profitable to hackers for money or leverage," observed Jon Rudolph, principal software engineer at Core Security.

"Some organizations [don't realize] that hackers' skills and their tools are becoming even more sophisticated," remarked Craig Kensek, a security expert at Lastline.

"There will undoubtedly be more breaches," he told TechNewsWorld.

The Risk to Users

Tumblr's user data was hashed, using an uncommon type of hash developed by the company, said InfoArmor's Komarov.

That may have led to the Tumblr hack data being offered for a measly 0.4255 bitcoins, equivalent to US$225, on the dark web.

However, data stolen from LinkedIn and Myspace were protected by simple, unsalted SHA-1 hashes, Sophos' Ducklin noted.

"The biggest threat ... is that people are horrible at choosing unique passwords," Core Security Systems Engineer Bobby Kuzma told TechNewsWorld.

That said, the risk to users "is largely dependent on the decisions they've made online, the direct results of which services they trust, and information they share," said Core's Rudolph. "I don't lose as much sleep over a hobby account [like Tumblr]."

Users should think about subscribing to password managers, Lastline's Kensek told TechNewsWorld. They "create another layer of protection and are worth the investment."

Meanwhile, Courion, Core Security, SecureReset and Bay 31 have teamed to form a new firm, taking the "Core Security" name, which will offer a multidisciplinary approach to enterprise security.

It will combine dynamic provisioning, identity management, access governance, vulnerability assessment and pen testing, said Rudolph, offering "a variety of tools which can be used to detect weak spots in the entire security chain, including the people and systems -- prioritizing them, and showing what's really possible for attackers."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Ideoclick eBook
Which type of digital advertising is most likely to attract your favorable attention?
Ads based on my interests
Ads designed to grab my attention, e.g. pop-ups, autoplay
Audio ads
Email ads from sources I've authorized to contact me
Informational articles on products/services
Social media ads
Straightforward banner ads
Video ads
Get your contact center ready step-by-step guide
Get your contact center ready step-by-step guide