MySpace

We're seeing a resurgence of older breaches being re-packaged and sold, often with attempts to crack the original password hashes. While the MySpace breach is hardly new, the sheer scale of the exposure and the ongoing attempts to monetize these credentials make it relevant even today. Our team flagged this particular instance after observing increased chatter on several dark web forums about "MySpace combos" – sets of email/password pairs purportedly derived from the original leak. What really struck us wasn't the re-emergence of the data itself, but the apparent success attackers are having in cracking a significant portion of the SHA1 hashes.

The 2008 MySpace Breach Resurfaces: 301 Million Accounts at Risk Again

The MySpace data breach, originally occurring around 2008, exposed a staggering 301,914,981 accounts. The data surfaced for sale on the Real Deal dark market website in May 2016. This breach isn't a new event, but the age of the data underscores the long tail of risk associated with compromised credentials. Attackers are actively attempting to crack the weak SHA1 hashes (of the first 10 characters of the password, lowercased and unsalted) and re-use the recovered credentials in credential stuffing attacks against other platforms.

Our team noticed increased activity surrounding this breach due to the increasing number of cracked credentials being offered for sale on various Telegram channels dedicated to credential stuffing. The volume of cracked credentials and the relatively low cost suggest that attackers have developed efficient methods for cracking these hashes. This re-emergence highlights the importance of password rotation and the dangers of reusing passwords across multiple platforms, even those considered "legacy."

This breach matters to enterprises because many individuals likely used their work email addresses when creating MySpace accounts. Even if employees have since changed their passwords, the risk remains that they may have used the same password on other, more critical systems. The availability of cracked credentials increases the likelihood of successful account takeovers. The breach ties into the broader threat theme of password reuse and the ongoing exploitation of legacy breaches for modern attacks. The automation of credential cracking and stuffing is a significant driver of this risk.

Key point: Total records exposed: 301,914,981

Key point: Types of data included: Email Addresses, Usernames, Passwords (SHA1 hashes of the first 10 characters of the password, lowercased and unsalted)

Key point: Sensitive content types: Potentially PII depending on user profiles

Key point: Source structure: Database

Key point: Leak location(s): Real Deal dark market (May 2016), various Telegram channels and dark web forums (recent activity)

External Context & Supporting Evidence

News outlets widely covered the initial sale of the MySpace data in 2016. For example, articles on BleepingComputer detailed the data being offered for sale and the potential impact. Security researcher Troy Hunt added the MySpace breach to Have I Been Pwned (HIBP), allowing individuals to check if their email address was included in the leak.

Discussions on Breach Forums and Telegram channels indicate that attackers are actively sharing and trading lists of cracked MySpace passwords. One post on a private forum claimed to have a list of "MySpace combos" with a high success rate on e-commerce sites. This claim, while unverified, suggests that attackers are actively using the cracked credentials for credential stuffing attacks.

Hash · Type · Email · Address · Username · Passwords