MySpace credentials breach
Credentials for roughly 360 million pre-2013 MySpace accounts surfaced for sale on the dark web in 2016. The passwords were stored as unsalted SHA-1 hashes, making one of the largest credential dumps ever disclosed trivially crackable.
- Victim
- MySpace (Time Inc.)
- records
- 360.0M
- users
- 360.0M
In late May 2016, credentials for roughly 360 million MySpace accounts appeared for sale on a dark-web marketplace, and on 31 May 2016 the company β by then owned by Time Inc. β confirmed the breach. Though MySpace had long faded from cultural relevance, the dump was among the largest credential leaks ever disclosed, and it underscored how old, abandoned accounts remain a liability long after a platform's peak.
What happened
The breached data was old. MySpace migrated to a new platform on 11 June 2013, and the leaked records all belonged to accounts created before that date β meaning the theft itself likely occurred years before the data surfaced publicly. The dataset was offered by a seller using the handle "Peace", the same actor selling the LinkedIn and Tumblr breach data in the same period, as part of a wave of 2016 "mega-breach" disclosures.
The breach-indexing service LeakedSource, which obtained a copy, reported 360,213,024 records containing usernames, email addresses, and passwords. Some accounts held a second password. The passwords were stored as unsalted SHA-1 hashes β the same weak scheme implicated in the LinkedIn breach β with the hashes computed over lowercased passwords, further reducing the keyspace and making mass cracking straightforward.
Impact
- ~360 million accounts had usernames, email addresses, and crackable SHA-1 password hashes exposed.
- Because the data was tied to dormant accounts, the direct fraud risk to MySpace itself was limited, but the credentials were valuable for credential-stuffing attacks against the many users who had reused those passwords elsewhere over the years.
- MySpace invalidated passwords for all affected accounts and notified users, but with the platform largely abandoned, many account holders never saw the warnings.
- The breach formed part of a cluster of historic mega-breaches (LinkedIn, Tumblr, VK, Fling) that flooded dark-web markets in 2016 and were ingested into breach-notification services.
Why it matters
MySpace is the canonical example of the "zombie account" risk: data that retains value years after users stop caring about a service. The same password-storage failure as LinkedIn β unsalted SHA-1 β turned a stale database into a usable attack tool, reinforcing that legacy systems must be migrated or hardened, not simply left running.
The 2016 mega-breach wave, of which MySpace was a centerpiece, reshaped how the security community thinks about credential reuse. It made clear that a breach at one consumer platform is effectively a breach against every other service where users recycled the same password, accelerating the push toward password managers, multi-factor authentication, and proactive breach monitoring.
Timeline
MySpace migrates to a new platform; accounts created before this date are the ones later found in the leaked dataset.
Reports surface that a hacker is selling more than 360 million MySpace credentials on a dark-web marketplace.
MySpace publicly confirms the breach, attributing it to data stolen before June 2013 and now being offered for sale.
LeakedSource reports the dataset contains 360,213,024 records with usernames, emails, and SHA-1 password hashes.
Sources
- welivesecurity.comhttps://www.welivesecurity.com/2016/06/01/myspace-data-breach-360-million-accounts-affected/
- infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/hacker-steals-data-360-million/
- itpro.comhttps://www.itpro.com/hacking/26642/myspace-confirms-it-has-been-hacked
- tomsguide.comhttps://www.tomsguide.com/us/myspace-data-breach,news-22745.html