Time confirms Myspace breach, 360M accounts potentially affected

Time Inc. confirmed rumours that Myspace accounts were compromised.
Time Inc. confirmed rumours that Myspace accounts were compromised.

Time Inc. confirmed Tuesday that several Myspace accounts were breached just before the US Memorial Day weekend.

A Time spokesperson would not confirm the exact number of people that were affected by the breach, but told SCMagazine.com that reports of 360 million credentials being sold online “appear to be correct.” The spokesperson said more information will be released upon completion of an investigation into the incident.

Usernames, passwords and email addresses registered before 11 June 2013 were compromised and were spotted on an online hacking forum, according to a 31 May Myspace blog post. Officials believe Russian cyber-hacker ‘Peace', who is allegedly responsible for the LinkedIn and Tumblr breaches, is also responsible for this event.

Rumours of the Myspace hack were circulating prior to Time's confirmation of the attack when Peace told Vice's Motherboard last week that he was seeking to sell 360 million email addresses and passwords from the social media company for $2,800 (£1,942).

Myspace said in the release it has invalidated the passwords of all of the known victims, is monitoring suspicious activity on all accounts and has notified law enforcement of the incident.  

“Leaks of this size typically occur from a database getting breached,” hacker turned security researcher Samy Kamkar told SCMagazine.com via emailed comments.

“Most often databases are breached once attackers are able to reach internal servers that access the database such as web servers that interface with the db,” he said. “I've found many of these types of breaches are initially executed by SQL injection attacks or an admin getting their own passwords exposed from a previous breach of another service.”

While many people feel Myspace isn't as popular as Facebook or Twitter, its hack may be the biggest breach in a long time due to username and password re-use, PC Pitstop's vice president of cyber-security Dodi Glenn, told SCMagazine.com via emailed comments.

“With username and password reuse, an individual may use the same email address or username and password on site A that they would use on sites B and C,” he said. “When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere, not associated with MySpace.”