The nearly irrelevant social site MySpace found itself on the collective tongues of the technology world this month. It wasn’t for a positive reason. No, the site is not making a comeback, unless you consider the sudden comeback on the consciousness’ of those who had an account on the site that they may have forgot about. In late May, the website discovered that user login data was found for sale on online hacker forums. The breach affected the credentials for what might be over 360 million accounts.
Alright, the breach occurred in 2013 and concerns were about accounts that were created prior to June of that year. So at this point you’re thinking to yourself, what’s the problem? I don’t use my MySpace account anymore. I mean, this really is a non-factor. What is there to worry about?
This is where things get interesting. If the password you used on your affected MySpace account appears anywhere else, let’s say your Amazon, eBay, Facebook, iTunes, Netflix or Twitter account, or any other countless places, these accounts are now, and in reality have been, seriously vulnerable.
Meanwhile, last week LeakedSource, a site aggregating hacked data sets, reported that it received 32 million Twitter records that each contain some form of a combination of an email address, a Twitter username, and a password, which are currently for sale online. According to the site, the data was provided by a user with the handle “Tessa88@exploit.im” (or Tessa). Now, these credentials likely were not obtained through a Twitter breach. They likely came from individual attacks.
LeakedSource also provided a list of the most common passwords used by these accounts. The top ten below:
This is the moment where I desperately seek out a head slap emoji?
The MySpace breach coincided with breaches to Tumblr and dating website Fling. Credentials from all three of these breaches appeared on the dark web courtesy of a hacker going by the nom de guerre “Peace_of_mind.” Peace_of_mind (or Peace) is also responsible for the release of credentials obtained in a 2012 LinkedIn hack, emphasizing the fact that if Peace_of_mind provides what his/her name indicates, he/she does not do so for the information security industry. Breached passwords for sale currently number north of 640 million according to WIRED.
Speaking of WIRED, senior writer Andy Greenberg scored a fascinating interview with Peace who has a store page on the dark web’s TheRealDeal that has a 100% satisfaction rating. You can read Greenberg’s article here.
As Greenberg points out in his article chronicling the interview, it’s difficult to verify any of the information he received from Peace. With that said, understanding that we are now trusting information provided by an individual who profits from the trafficking of others’ personal information on the dark web, we can gain some insight into who Peace is and his/her motivation:
- Is Russian
- Worked as a part of a “team” of hackers
- Began selling credentials after others began reselling the data, some on the team started making money selling credentials publicly, and the group began dissolving
- Claims to have worked with “Tessa” who provided LeakedSource with the above mentioned credentials from Twitter
- Says the group did not offer the data sooner to the public because it found more value in keeping the data private. The group had uses for the data and so too did other buyers who expected it to remain private. The data can be used for spamming and for tracking down accounts where users reuse passwords.
- Claims to have made about $30,000 for the release of the LinkedIn, Tumblr, and MySpace data which he says was a month’s work for him
- Also claims that he has another billion or so credentials from websites (which likely includes the Twitter credentials already public), mainly from social media, that have yet to be released, credentials from the 2012-2013 timeframe. Peace_of_mind is also very confident that he won’t be apprehended. Both of these factor into a pretty safe bet that we have not yet heard the end of this story.
The marketplace for this type of data is evolving. According to the Dell SecureWorks Underground Hacker Market Annual Report, which was released in April of 2016, US social media account credentials can fetch $129. So too can personal email credentials. Meanwhile corporate email accounts run $500 per mailbox according to the report.
I mention all of this so that maybe you can start to see there is intrinsic value in your passwords. Maybe if you can grasp that, you will begin to understand that they need to be strengthened. If you needed your vault guarded would you prefer Barney Fife or Superman? Obviously you’d take the Man of Steel. You want passwords that are strong and can’t be cracked easily.
There are some very simple things you can do to create good password hygiene:
Recycling…Good for the environment, bad for cybersecurity- Never use the same password for different accounts. Vary them. Find a way. It’s not hard.
Passwords are like underwear…Change them often– If you have passwords you haven’t changed in months or years, it’s time to do an audit. These breaches happen. When you hear about a breach from a company you have an account on, run to your computer and update your password.
One is a lonely number…Two is better than one- When available, utilize two factor authentication. This usually involves a separate device that a user carries on them, such as a smartphone, to verify account changes. It’s just an extra layer of protection.
123456 is not a password…It’s a Sesame Street jingle- Do I need to show the graphic again? Your passwords have true market value. It’s time to ensure they are strong and difficult to crack. Come up with a system that’s unique to you, and use that system. Vary passwords with letters, numbers, and symbols. The more complex the password the harder it is to identify and the safer you will be.
Cybersecurity is always evolving. It’s also critical to protecting yourself online. Therefore, it’s important to constantly be educating yourself on the latest tools and techniques available as well as the tricks cyber criminals are currently utilizing. We offer public and private education designed to teach individuals how to protect themselves online. As Sergeant Phil Esterhaus of Hill Street Blues would advise in our current digital world, “Let’s be careful out there!”
About the Author
With a background in both content creation and business technology, Corey White brings a unique perspective to FPOV. As a multimedia journalist, Corey developed media for a wide variety of platforms, finding innovative ways to incorporate technology into his creation process and distribution methods. Also a former eCommerce manager, Corey understands the opportunities and challenges leaders face as they work to onboard new technologies and processes into their organizations. He is focused on helping leaders rise to those challenges and maximize those opportunities.