Over 65 million Tumblr records dating back to 2013 were discovered for sale on the dark web. A further 360 million Myspace accounts are being sold by the same individual without any obvious date. It also appears to be a historical dump, in part because Myspace’s fall from prominence means it’s no longer so attractive to hackers.
Myspace confirmed it is investigating the breach. It said users with accounts created prior to June 11, 2013 on the old Myspace platform are affected. Email addresses, usernames and passwords are included in the dump.
“Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum,” the site said. “The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform.”
It added it has reported the incident to law enforcement authorities who are investigating criminal allegations. The company has automatically reset the password of every affected user.
News site Motherboard was able to partially verify the authenticity of the vast dump. It exchanged the email addresses of three staff members and two friends with hacked data search engine LeakedSource. In all five cases, LeakedSource’s operators sent back the correct password to the user’s Myspace account.
Tumblr confirmed it has investigated a breach of its own data from early 2013. It said it had no reason to believe the information was used to access accounts but has also reset the passwords of all affected users.
Security researcher Troy Hunt speculated the hacks may be related to other recent large-scale data dumps. Hunt runs the website Have I Been Pwned?, a resource that allows individuals to check if their data has been included in a breach.
In the past month, Hunt has uploaded 167 million LinkedIn accounts, 40 million accounts for adult dating site Fling and the Myspace and Tumblr breaches. He believes the data is related as it is unusual for so many databases to turn up at one time.
There are links between the different breaches. They are all more than three years old, indicating they have been sitting around for years without anyone noticing. All four breaches have made an appearance online within the space of a month though, suggesting something has changed that has caused a hacker to upload them.
The databases are also all in the top five largest dumps ever uploaded to Have I Been Pwned. They account for over two thirds of the data collected by Hunt. All the factors suggest the four breaches are related in some way.
The obvious link would appear to be the dark web seller offering the data. All four breaches are sold by peace_of_mind, a user who has received multiple positive feedback and appears to be satisfying buyers. It is unclear whether Peace is responsible for the hacks themselves though.
Peace is asking for 6 bitcoin (around $2800) for the Myspace data and $150 for the Tumblr breach. The latter one is described as “a list of email addresses” because Tumblr stores passwords securely in a form difficult to crack, driving down the list price. Myspace’s old password security mechanisms are much weaker though, making the data valuable to hackers.
Hunt warned there’s a trend that’s “hard to ignore” transpiring on the dark web. Huge historical data dumps are suddenly being offered for sale within weeks of each other, an occurrence that hasn’t been observed before. He noted there may be more in store waiting to be released by hackers in the next month.
