Slashdot Mirror

← Back to Stories (view on slashdot.org)

You Can Now Browse Through 427 Millon Stolen MySpace Passwords (mashable.com)

Posted by msmash on from the for-research-and-amusement dept.

Stan Schroeder, writing for Mashable:An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace -- some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from Myspace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.

64 comments

  1. security researcher my ass by Anonymous Coward · · Score: 1

    More like a criminal. Why are you people okay with this behavior?

    1. Re:security researcher my ass by bmk67 · · Score: 1, Funny

      Who precisely is "you people"?

    2. Re:security researcher my ass by Anonymous Coward · · Score: 0

      The sleazy slimy malodorous cretin criminals known as 'slashdotters'.

  2. Much easier than by fropenn · · Score: 3, Funny

    going through MySpace's password recovery feature. Now, maybe I will be able to update my MySpace page for the first time in ten years!

    1. Re:Much easier than by Anonymous Coward · · Score: 0

      No need, it will be updated for you!

    2. Re:Much easier than by wile_e_wonka · · Score: 4, Insightful

      I think the bigger deal isn't the risk of unauthorized people accessing ancient unupdated MySpace pages. I think the bigger deal is that a lot of people are using the that same password, now disclosed online, for their email login, bank login, etc. And the MySpace leak gives everyone the ability to look up a large swath of the population's passwords. A lot of not very tech-savvy people had MySpace accounts, and I haven't looked at the file, but it seems that a less-than-honest person could match people to passwords in a lot of these cases and then have that person's passwords for a lot of different sites.

    3. Re:Much easier than by Anonymous Coward · · Score: 0

      In soviet russia, myspace updates you!

    4. Re:Much easier than by Richard+Dick+Head · · Score: 1

      This. I no longer have access to my AOL email address, so this list is the only way to get my MySpace password X-D

      --
      The real path to male liberation
  3. In unrelated news by Anonymous Coward · · Score: 0

    What? No "in unrelated news" link at the bottom of the story? What if I can't remember how to scroll down? I'll never hear about "Why Twitter Can't Even Protect Tech CEOs From Getting Hacked".

    1. Re: In unrelated news by Anonymous Coward · · Score: 2, Informative

      BeauHD is the editor who does that crap. This story was posted by manishs, so it doesn't have unrelated news. I'd be happy if Slashdot replaced BeauHD by bringing Timothy back.

    2. Re:In unrelated news by FatdogHaiku · · Score: 2

      What? No "in unrelated news" link at the bottom of the story? What if I can't remember how to scroll down? I'll never hear about "Why Twitter Can't Even Protect Tech CEOs From Getting Hacked".

      At least it's not "One weird trick to read 427 million passwords!"...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  4. Productive Purpose? by Anonymous Coward · · Score: 0

    Tuning John the ripper to crack passwords more effectively? Or just wasting some computer cycles watching it crack them.

    1. Re:Productive Purpose? by Chatterton · · Score: 1

      One productive use I see is to run this password database against the company logins to check if one is in this list to ask the user to change it. Because sooner or later, and most probably sooner, a hacker will do the same...

    2. Re:Productive Purpose? by ageoffri · · Score: 1

      I'd be careful with doing this. It can create a legal liability, if InfoSec runs a password cracking tool against current hashes and succeeds in getting plain text passwords at that point the individual accountability becomes questionable. You can enforce procedures to keep InfoSec legally accountable, but a savvy lawyer will create doubt. The better answer is to run a password cracking tool against hashes that are older, 6 months to a year depending on your password change requirements. Then target any users whose password is cracked with training on password security. With your legal team's approval and help, you can inform the user that they are getting the remedial training because an old password was cracked.

      --
      -- Slashdot, making the Left look conservative since 1997.
    3. Re:Productive Purpose? by JackieBrown · · Score: 1

      Most companies for you to change passwords at least every 90 days so the myspace password would be obsolete by now. They also don't usually register your corporate account with your home email.

      Any company that is not forcing password changes and use their users home email as a login name are probably not going to run the test you suggested.

  5. MySpace by Anonymous Coward · · Score: 0

    What is MySpace?

    1. Re:MySpace by sa1lnr · · Score: 1

      It was a vast archive of horrendous web page design.

  6. i don't get it by Anonymous Coward · · Score: 0

    When sites post about these things, they are basically advertising the location of stolen goods. eh?

    1. Re:i don't get it by Khyber · · Score: 1

      Information wants to be free.

      This is why most people simply can't keep their mouths shut.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    2. Re:i don't get it by Schezar · · Score: 3, Funny

      They're not stolen. The original users of those passwords still have them. ;)

      --
      GeekNights!
      Late Night Radio for Geeks!
    3. Re:i don't get it by Anonymous Coward · · Score: 0

      The bad guys already have the info, why shouldn't the good guys get it also. Don't you want to know if your MySpace account has been hacked?

      P.S. I know you probably don't have a MySpace account, but you get the point.

    4. Re: i don't get it by Anonymous Coward · · Score: 0

      Not all of us do? May have to DL this torrent to access my zombie account. It's been a source of horrible Google search returns for years...

    5. Re:i don't get it by Anonymous Coward · · Score: 0

      lol, downvoted for too much truth.

  7. Obligatory by Anonymous Coward · · Score: 0

    So many passwords in the file are the exact combination to my luggage!

  8. that's fine. by pseudosero · · Score: 1

    I forgot my password anyway

    --
    sometimes, nothing.
  9. The real question is.. by Patent+Lover · · Score: 2, Insightful

    What the heck is MySpace?

    1. Re:The real question is.. by MobileTatsu-NJG · · Score: 4, Funny

      It's that site that a lot of Slashdotters went to a long time ago and painfully discovered that it requires having friends.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    2. Re:The real question is.. by Nidi62 · · Score: 4, Informative

      A website that allowed angsty middle-class teenagers to put up pages with horribly eye-sore backgrounds and embedded music players that automatically start playing music about how misunderstood they are and how horrible their lives are.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:The real question is.. by bmk67 · · Score: 1

      Nothing of importance.

    4. Re:The real question is.. by goombah99 · · Score: 1

      its a 2mmx1mm patch on a hard disk somewhere.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    5. Re:The real question is.. by Anonymous Coward · · Score: 0

      Sounds like Facebook, but with less ads

    6. Re:The real question is.. by Solandri · · Score: 1

      I thought that was GeoCities.

    7. Re: The real question is.. by Nidi62 · · Score: 1

      No, geocities was animated backgrounds and dancing babies.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    8. Re:The real question is.. by HalAtWork · · Score: 1

      Friends don't let friends use animated gifs for backgrounds and front loading 20 autoplay audio tracks

      --
      Twinstiq, game news
  10. chmod +x passwords.txt by Sloppy · · Score: 3, Informative

    As always, you should exercise caution while downloading any file from an unverified source on the internet; at the very least, you should run it through a virus scanner before doing anything with it.

    WTF?

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    1. Re:chmod +x passwords.txt by Anonymous Coward · · Score: 1

      In fairness, trying to open a 13 GB text document might well cause some kind of previously unknown buffer overflow in Notepad. Which probably runs in kernel mode to do some font rendering, given Microsoft's past form.

    2. Re:chmod +x passwords.txt by PraiseBob · · Score: 1

      It's crazy, but true. Windows users have to live in constant paranoia of their machine executing any random download, usb stick, cd's, emails, etc.

    3. Re:chmod +x passwords.txt by Anonymous Coward · · Score: 0

      Notepad? Why aren't you using vi?

    4. Re: chmod +x passwords.txt by Anonymous Coward · · Score: 0

      Use total commander

  11. Slashdotted... anyone got the torrent link? by Anonymous Coward · · Score: 0

    Anyone have the torrent link and password for the archive?

  12. Site seems down by elliott666 · · Score: 1

    Wow, it's been so long since I've seen a site get slashdotted that I almost forgot about the term!

  13. Strange by eulernet · · Score: 1

    The site:
    https://haveibeenpwned.com/

    tells me that my MySpace account has been pawned, but I don't remember creating a MySpace account.

    1. Re:Strange by Anonymous Coward · · Score: 0

      You probably got pwned on some other site, then somebody created the MySpace for you. Which then also got pwned. This might be your only chance to be able to pwn back any other accounts that get made for you by grabbing the hackers password.

  14. Excellent! Time to change my password by Anonymous Coward · · Score: 0

    I have a hard time remembering passwords. I'll just go through the list until I get one that works.

  15. Is it criminal to share it? by Anonymous Coward · · Score: 0

    I mean, he's in possession of stolen property, so I presume yes.

    captcha: entangle

  16. Anyone have the torrent link? by wbr1 · · Score: 1

    The site is slashdotted. Would like to snag this.

    --
    Silence is a state of mime.
    1. Re:Anyone have the torrent link? by wbr1 · · Score: 2

      Got it: magnet link: magnet:?xt=urn:btih:17E6FC94DAE0A3168301012C290A53A2BD314A28&dn=Myspace.com.rar&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce&tr=udp%3a%2f%2f9.rarbg.com%3a2710%2fannounce&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&tr=http%3a%2f%2fbt.careland.com.cn%3a6969%2fannounce&tr=udp%3a%2f%2fexplodie.org%3a6969%2fannounce&tr=http%3a%2f%2fmgtracker.org%3a2710%2fannounce&tr=http%3a%2f%2ftracker.tfile.me%2fannounce&tr=http%3a%2f%2ftracker.torrenty.org%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.trackerfix.com%3a80%2fannounce&tr=http%3a%2f%2fwww.mvgroup.org%3a2710%2fannounce&tr=udp%3a%2f%2f9.rarbg.com%3a2710%2fannounce&tr=udp%3a%2f%2f9.rarbg.me%3a2710%2fannounce&tr=udp%3a%2f%2f9.rarbg.to%3a2710%2fannounce&tr=udp%3a%2f%2fcoppersurfer.tk%3a6969%2fannounce&tr=udp%3a%2f%2fexodus.desync.com%3a6969%2fannounce&tr=udp%3a%2f%2fglotorrents.pw%3a6969%2fannounce&tr=%2audp%3a%2f%2fopen.demonii.com%3a1337%2fannounce&tr=udp%3a%2f%2ftracker.coppersurfer.tk%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.glotorrents.com%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.leechers-paradise.org%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker4.piratux.com%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.pomf.se%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&ws=https%3a%2f%2fmyspace.thecthulhu.com%2fMyspace.com.rar

      --
      Silence is a state of mime.
    2. Re:Anyone have the torrent link? by wbr1 · · Score: 1

      Better way: http://webcache.googleusercont...

      --
      Silence is a state of mime.
    3. Re:Anyone have the torrent link? by Anonymous Coward · · Score: 0

      15 GIGS? What all's in the file exactly, there's no way 450 million email:password combinations takes up 15 gigs of space.

    4. Re:Anyone have the torrent link? by Anonymous Coward · · Score: 0

      Hi. Note that the magnet link has a 'webseed' URL at the very end. It's a link to the whole 14,3 GB file over the HTTP protocol.

      Anyone up for a slashdotting? I'm not evil enough to link straight to it, but the URL is right after ws=

      The HTTP server is giving 400+ KB/s for me right now.

    5. Re:Anyone have the torrent link? by Anonymous Coward · · Score: 0

      If each user equalled one byte, it would be a 450MB file. 10 bytes each, 4.50GB. 14GB is roughly 30 bytes each for 450 million users. Not entirely unreasonable at all, how did you come to the conclusion that 14.3GB is unreasonable?

  17. Closed my page eons ago by Anonymous Coward · · Score: 0

    Enjoy the obsolete password suckers!

  18. Mirror by InvisiBill · · Score: 1

    http://wayback.archive.org/web/*/https://myspace.thecthulhu.com/ (The original was slow for me, but did eventually load.)

    There's a Magnet link on the page, but the Torrent file itself didn't get archived. I put a copy at http://www.invisibill.net/Myspace.com.rar.torrent.

    1. Re:Mirror by Anonymous Coward · · Score: 0

      Here's the important stuff from your link.

      Magnet link: magnet:?xt=urn:btih:17E6FC94DAE0A3168301012C290A53A2BD314A28

      Decryption key: KLub8pT&iU$8oBY(*$NOiu

      I stripped the load of trackers from the magnet. It should work without, via DHT.

      I now know why the website died. The magnet link has a 'webseed' URL, that links to the full 14,3 GB .rar on the site. Torrent clients use a webseed if they can't find seeds IIRC. So now he has a swarm of torrent clients that are requesting parts (?) of the file straight from the site. Some sort of new second-order slashdot effect?

  19. VUZE is now malware by goombah99 · · Score: 3, Informative

    I opened up my trusty torrent client, Vuze, to download this and it asked to install an update. I let it, and then bad craziness broke out. I visibly opened all my browsers up, opened up their preference settings, downloaded an installed extensions, and set their default pages and search engine to Yahoo.

    Vuze is now malware. beware.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:VUZE is now malware by Anonymous Coward · · Score: 0

      Last time I installed Vuze you needed to spend some time to debloat it and bring out the powerful client inside it.

    2. Re:VUZE is now malware by goombah99 · · Score: 1

      They came out with Vuze Leap which is a streamlined version of the original Leap. The install is simplified. It used to work really well. probably the simplest torrent client I've used.

      --
      Some drink at the fountain of knowledge. Others just gargle.
  20. Confiremd: :VUZE leap is now malware by Anonymous Coward · · Score: 1

    If you go to the Vuze support forum theres multiple posts yelling about vuze as mal ware. In the fearliest one the moderator denies this. Then in the others the moderator has posted how to change your settings back to another search engine. They fail to mention the extensions (like quickview) that Vuze installs in all of your browsers.

    the company can no longer be trusted.

  21. Title is misleading? You can't browse passwords... by Sibelius · · Score: 1

    So far as I can tell, this dump contains only the SHA-1 hashes of passwords and no one has figured out how to invert SHA-1.

    The SHA-1 hashes of common, already-known passwords are available, so it's possible to invert hashes for these passwords. But, claiming that you can recover any of the passwords is wholly different from being able to confirm that a few well-known passwords were used by a segment of the population. Case in point: Of the ~420 million passwords in the leak, only about 7 million are in the top 55 board on leakedsource.com/blog/myspace, i.e., 1.6%.

    It would appear that, if anything, this is really a list of email addresses from circa 2013. It could also be interesting to look at the distribution of passwords by looking at frequencies of specific hashes.

  22. How to get rid of VUZE torrent client malware. by Anonymous Coward · · Score: 1

    Same thing happened to me. It appears Vuze installs the Spigot adware infection into your computer.
    For Chrome there's some hope of disinfecting your computer. Don't know how to fix safari or Firefox.

    navigate to /Users/YOUR_COMPUTER_USERNAME/Library/Application Support/Google/Chrome

    YOUR_COMPUTER_USERNAME must of course be replaced with your computer username

    grep -rnw '.' -e 'spigot' and grep -rnw '.' -e 'api.mybrowserbar'

    get in there and remove that shit.

    In the most annoying case, their genius software made itself the default restart page for whenever chrome unexpectedly crashes. This little tidbit is located deep inside a sort of huge JSON blob at ./Default/Preferences, inside Chrome directory

  23. VUZE admits to bundling Spigot adware by Anonymous Coward · · Score: 0

    Here's a spigot representative stating that VUZE does install Sigot malware by default, apologizing for the inconvenience, then offering no way to remove it. He says the opt-out is hidden from site under the "custom" install tickbox of the Vuze install.

    http://forum.vuze.com/Thread-m...

    Spigot malware contains features that actively resist de-installation. It hits every browser on your computer.

  24. Re:Title is misleading? You can't browse passwords by Anonymous Coward · · Score: 0

    I've been looking at it myself and it appears to be a mixture of hashes and plain text... 15GB is a bitch to grep through so i'm trying to find what data they have on me, but it seems the majority of the accounts are hashes, a minority have plain text passwords, and for some reason, for many accounts, the password field is set to the same as the database entry ID.

    I could be interpreting this incorrectly, but it's interesting all the same.