Myspace, Tumblr, Fling Breaches Exposed 465 Million Accounts


A hacker using the handle Peace is currently selling 360 million Myspace users' email addresses and passwords, 40 million email addresses and passwords for the dating site Fling and 65 million Tumblr passwords, security researcher Troy Hunt reports.

None of the data is new -- the Fling breach dates back to 2011 and the Tumblr breach dates back to 2013.

Last month, the same hacker tried to sell 117 million LinkedIn users' email addresses and passwords that had been stolen in 2012.

Still, as NSFOCUS chief research analyst Stephen Gates told eSecurity Planet by email, Peace doesn't appear to be doing this for the money. "With limited financial gain and timely value to the data, it's reasonable to believe that Peace may be doing it because he/she can," he said. "Right now, Peace is taking the reins of the public image of these social media companies, bringing a mistake they would prefer buried in the past into the forefront of the news cycle."

"There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related," Hunt wrote in a blog post on the stolen data.

Motherboard reports that the Fling data includes email addresses, user names, plain text passwords, IP addresses, birthdates and other personal information.

The Myspace data includes email addresses, user names and passwords. In a separate article, Motherboard notes that the Myspace breach appears to be the largest theft of email addresses and passwords in history.

In a statement published on May 31, Myspace announced, "Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform."

Seclore CEO Vishal Gupta told eSecurity Planet by email that these breaches demonstrate why passwords aren't sufficient for protecting sensitive data. "With password reuse as rampant as it is, even if the compromised account doesn’t contain important data, hackers typically have no problem putting the login credentials to good use (hopefully your bank account and LinkedIn account have different passwords!)," he said.

"Data-centric security solutions are a natural candidate for supplementing the increasingly weakened password," Gupta added. "By applying protections at the data level, even if hackers manage to get their hands on sensitive information, the data remains completely unusable."

A recent Ping Identity survey found that almost half of enterprise employees reuse passwords for work-related accounts, and almost two thirds do so for personal accounts.