Hackers May Have Hit 425 Million MySpace, Tumblr Accounts

In the MySpace breach, each of the 360 million records contains an email address and at least one password. Tumblr had 65 million accounts hit.

Before there was Facebook and LinkedIn, there was MySpace.

Fifteen years ago, MySpace was the hottest social Internet network going for teens and tweens on laptops. It provided a place for young Web users to be creative and talk about music, cars, sex and TV shows.

But when Facebook came into the mainstream in 2006, it made the join-in process simpler to use, enabled better viral connections with friends, made it easier to post photos and videos and brought a much more structured look and feel to personal Web pages. MySpace users quickly fell away.

By 2009, MS was in the rear-view mirror of a lot of former users.

However, Web thieves haven't forgotten about all the personal data in sites such as MySpace and Tumblr, which both were hit by huge data breaches at some point(s) in the last several months or years. We know this because MySpace's owner, Time Inc., revealed May 27 that it has been informed about a large set of stolen MySpace username and password combinations that now are available for sale in an online hacker forum.

Tumblr, a social networking blogsite owned by Yahoo, reportedly had about 65 million email addresses and passwords stolen and put up for sale on the same forum.

The data up for sale is old, but even old data still has considerable value on markets such as this. In this case, the stolen personal information appears to be limited to part of the user base from an old MySpace platform that was operational before June 11, 2013. The site owner relaunched that day with a new security apparatus.

MySpace's publisher didn't offer a ballpark figure on how many user accounts were in the data set that was for sale; it's now gone from the forum site. However, LeakedSource.com reported May 31 that more than 360 million accounts were involved.

LeakedSource is a search engine capable of searching more than 1.6 billion leaked records—an aggregation of data from hundreds of disparate sources.

In the MySpace breach, each record contains an email address, a password and, in some cases, a second password, LeakedSource.com said. Because some accounts have multiple passwords, there were more than 427 million total passwords available for sale, LeakedSource said.

If true, this would become the largest-ever hacked collection of personal data from one site, security researcher Sophos noted. In 2012, more than 117 million email addresses and passwords were stolen from professional social network LinkedIn.

MySpace said it has already invalidated the passwords of known affected accounts and has notified all its users via email.

"We take the security and privacy of customer data and information extremely seriously—especially in an age when malicious hackers are increasingly sophisticated and breaches across all industries have become all too common," MySpace CFO Jeff Bairstow said in a press statement. "Our information security and privacy teams are doing everything we can to support the MySpace team.”

MySpace is working with law enforcement because the case is still under investigation, the company said.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...