Myspace has revealed in an official announcement that it was the victim of a major data breach.
The incident took place a few years ago and is thought to have affected close to 360 million accounts. Myspace’s technical security team confirmed that information that was being offered on an online forum is genuine.
Myspace, which is a Time Inc company, speculates that the cybercriminal behind this attack is an individual who goes by the moniker Peace. This is the same person that is thought to be responsible for a similar incident at Tumblr, which bears all the hallmarks of the Myspace data breach.
Usernames, passwords and email addresses registered before June 11, 2013 were compromised and were spotted on an online hacking forum, according to a May 31 Myspace blog post. Officials believe Russian cyberhacker ‘Peace’, who is allegedly responsible for the LinkedIn and Tumblr breaches, is also responsible for this event.
Myspace said in the release it has invalidated the passwords of all of the known victims, is monitoring suspicious activity on all accounts and has notified law enforcement of the incident and has taken “significant steps” to strengthen its users’ account security since the data breach in 2013 and now the company uses double-salted hashes to store passwords.
Most often databases are breached once attackers are able to reach internal servers that access the database such as web servers that interface with the db,. We have found many of these types of breaches are initially executed by SQL injection attacks or an admin getting their own passwords exposed from a previous breach of another service. With username and password reuse, an individual may use the same email address or username and password on site A that they would use on sites B and C. When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere, not associated with MySpace.
We strongly advise users who tend to reuse the same passwords between sites to set new passwords on those websites immediately.