Continuing the recent spate of massive hacks, social networking sites MySpace and Tumblr user data have been offered cheaply on the dark web by the same character behind the Linkedln breach.
Recently, Tumblr notified users of a data breach that resulted in the theft of user email addresses and hashed passwords and someone put 65 million user data up for sale on the dark web. The data is being sold on a Tor dark market website called TheRealDeal by a user named peace_of_mind who also sold 167 million user records stolen from LinkedIn.
Recently the same hacker also posted offers for more than 360 million accounts allegedly stolen from MySpace and 40 million from an adult dating website called Fling.com. The stolen data, which appears to date from 2008 to 2009, holds a massive 360,213,024 records reportedly featuring email addresses, usernames and passwords. The breach consists of 427,484,128 passwords in total, even though a number of that may be due to about 68 million accounts having secondary passwords.
Linkedln recently reported a big data breach when hackers claimed to have more than 100 million usernames and passwords up for sale. According to an initial assessment of the data, passwords were stored in SHA1 with “no salting”. Current best practice is to “stretch” each password before storing it by hashing it repeatedly. Hashing is a one-way operation that generates unique, verifiable cryptographic representations of a string called hashes. Hashes are useful for validating and storing passwords in databases, because in case of theft attackers shouldn’t theoretically be able to convert them back into passwords.
However, some old hashing algorithms like MD5 and SHA1 are vulnerable to various cracking techniques. This happened in the LinkedIn breach, where the password hashes were generated with vanilla SHA1, allowing researchers to crack over 80 percent of them.
Even though the data is just finding its way into the public domain recently, the breaches date back to three years, and users are advised to change their passwords, especially if they use the same password on multiplatforms.