Slashdot Mirror

← Back to Stories (view on slashdot.org)

You Can Now Browse Through 427 Millon Stolen MySpace Passwords (mashable.com)

Posted by msmash on from the for-research-and-amusement dept.

Stan Schroeder, writing for Mashable:An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace -- some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from Myspace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.

36 of 64 comments (clear)

  1. security researcher my ass by Anonymous Coward · · Score: 1

    More like a criminal. Why are you people okay with this behavior?

    1. Re:security researcher my ass by bmk67 · · Score: 1, Funny

      Who precisely is "you people"?

  2. Much easier than by fropenn · · Score: 3, Funny

    going through MySpace's password recovery feature. Now, maybe I will be able to update my MySpace page for the first time in ten years!

    1. Re:Much easier than by wile_e_wonka · · Score: 4, Insightful

      I think the bigger deal isn't the risk of unauthorized people accessing ancient unupdated MySpace pages. I think the bigger deal is that a lot of people are using the that same password, now disclosed online, for their email login, bank login, etc. And the MySpace leak gives everyone the ability to look up a large swath of the population's passwords. A lot of not very tech-savvy people had MySpace accounts, and I haven't looked at the file, but it seems that a less-than-honest person could match people to passwords in a lot of these cases and then have that person's passwords for a lot of different sites.

    2. Re:Much easier than by Richard+Dick+Head · · Score: 1

      This. I no longer have access to my AOL email address, so this list is the only way to get my MySpace password X-D

      --
      The real path to male liberation
  3. Re: In unrelated news by Anonymous Coward · · Score: 2, Informative

    BeauHD is the editor who does that crap. This story was posted by manishs, so it doesn't have unrelated news. I'd be happy if Slashdot replaced BeauHD by bringing Timothy back.

  4. Re:i don't get it by Khyber · · Score: 1

    Information wants to be free.

    This is why most people simply can't keep their mouths shut.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  5. Re:i don't get it by Schezar · · Score: 3, Funny

    They're not stolen. The original users of those passwords still have them. ;)

    --
    GeekNights!
    Late Night Radio for Geeks!
  6. that's fine. by pseudosero · · Score: 1

    I forgot my password anyway

    --
    sometimes, nothing.
  7. The real question is.. by Patent+Lover · · Score: 2, Insightful

    What the heck is MySpace?

    1. Re:The real question is.. by MobileTatsu-NJG · · Score: 4, Funny

      It's that site that a lot of Slashdotters went to a long time ago and painfully discovered that it requires having friends.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    2. Re:The real question is.. by Nidi62 · · Score: 4, Informative

      A website that allowed angsty middle-class teenagers to put up pages with horribly eye-sore backgrounds and embedded music players that automatically start playing music about how misunderstood they are and how horrible their lives are.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:The real question is.. by bmk67 · · Score: 1

      Nothing of importance.

    4. Re:The real question is.. by goombah99 · · Score: 1

      its a 2mmx1mm patch on a hard disk somewhere.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    5. Re:The real question is.. by Solandri · · Score: 1

      I thought that was GeoCities.

    6. Re: The real question is.. by Nidi62 · · Score: 1

      No, geocities was animated backgrounds and dancing babies.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    7. Re:The real question is.. by HalAtWork · · Score: 1

      Friends don't let friends use animated gifs for backgrounds and front loading 20 autoplay audio tracks

      --
      Twinstiq, game news
  8. Re:Productive Purpose? by Chatterton · · Score: 1

    One productive use I see is to run this password database against the company logins to check if one is in this list to ask the user to change it. Because sooner or later, and most probably sooner, a hacker will do the same...

  9. chmod +x passwords.txt by Sloppy · · Score: 3, Informative

    As always, you should exercise caution while downloading any file from an unverified source on the internet; at the very least, you should run it through a virus scanner before doing anything with it.

    WTF?

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    1. Re:chmod +x passwords.txt by Anonymous Coward · · Score: 1

      In fairness, trying to open a 13 GB text document might well cause some kind of previously unknown buffer overflow in Notepad. Which probably runs in kernel mode to do some font rendering, given Microsoft's past form.

    2. Re:chmod +x passwords.txt by PraiseBob · · Score: 1

      It's crazy, but true. Windows users have to live in constant paranoia of their machine executing any random download, usb stick, cd's, emails, etc.

  10. Site seems down by elliott666 · · Score: 1

    Wow, it's been so long since I've seen a site get slashdotted that I almost forgot about the term!

  11. Strange by eulernet · · Score: 1

    The site:
    https://haveibeenpwned.com/

    tells me that my MySpace account has been pawned, but I don't remember creating a MySpace account.

  12. Re:In unrelated news by FatdogHaiku · · Score: 2

    What? No "in unrelated news" link at the bottom of the story? What if I can't remember how to scroll down? I'll never hear about "Why Twitter Can't Even Protect Tech CEOs From Getting Hacked".

    At least it's not "One weird trick to read 427 million passwords!"...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  13. Re:Productive Purpose? by ageoffri · · Score: 1

    I'd be careful with doing this. It can create a legal liability, if InfoSec runs a password cracking tool against current hashes and succeeds in getting plain text passwords at that point the individual accountability becomes questionable. You can enforce procedures to keep InfoSec legally accountable, but a savvy lawyer will create doubt. The better answer is to run a password cracking tool against hashes that are older, 6 months to a year depending on your password change requirements. Then target any users whose password is cracked with training on password security. With your legal team's approval and help, you can inform the user that they are getting the remedial training because an old password was cracked.

    --
    -- Slashdot, making the Left look conservative since 1997.
  14. Anyone have the torrent link? by wbr1 · · Score: 1

    The site is slashdotted. Would like to snag this.

    --
    Silence is a state of mime.
    1. Re:Anyone have the torrent link? by wbr1 · · Score: 2

      Got it: magnet link: magnet:?xt=urn:btih:17E6FC94DAE0A3168301012C290A53A2BD314A28&dn=Myspace.com.rar&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce&tr=udp%3a%2f%2f9.rarbg.com%3a2710%2fannounce&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&tr=http%3a%2f%2fbt.careland.com.cn%3a6969%2fannounce&tr=udp%3a%2f%2fexplodie.org%3a6969%2fannounce&tr=http%3a%2f%2fmgtracker.org%3a2710%2fannounce&tr=http%3a%2f%2ftracker.tfile.me%2fannounce&tr=http%3a%2f%2ftracker.torrenty.org%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.trackerfix.com%3a80%2fannounce&tr=http%3a%2f%2fwww.mvgroup.org%3a2710%2fannounce&tr=udp%3a%2f%2f9.rarbg.com%3a2710%2fannounce&tr=udp%3a%2f%2f9.rarbg.me%3a2710%2fannounce&tr=udp%3a%2f%2f9.rarbg.to%3a2710%2fannounce&tr=udp%3a%2f%2fcoppersurfer.tk%3a6969%2fannounce&tr=udp%3a%2f%2fexodus.desync.com%3a6969%2fannounce&tr=udp%3a%2f%2fglotorrents.pw%3a6969%2fannounce&tr=%2audp%3a%2f%2fopen.demonii.com%3a1337%2fannounce&tr=udp%3a%2f%2ftracker.coppersurfer.tk%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.glotorrents.com%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.leechers-paradise.org%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker4.piratux.com%3a6969%2fannounce&tr=udp%3a%2f%2ftracker.pomf.se%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&ws=https%3a%2f%2fmyspace.thecthulhu.com%2fMyspace.com.rar

      --
      Silence is a state of mime.
    2. Re:Anyone have the torrent link? by wbr1 · · Score: 1

      Better way: http://webcache.googleusercont...

      --
      Silence is a state of mime.
  15. Re:Productive Purpose? by JackieBrown · · Score: 1

    Most companies for you to change passwords at least every 90 days so the myspace password would be obsolete by now. They also don't usually register your corporate account with your home email.

    Any company that is not forcing password changes and use their users home email as a login name are probably not going to run the test you suggested.

  16. Mirror by InvisiBill · · Score: 1

    http://wayback.archive.org/web/*/https://myspace.thecthulhu.com/ (The original was slow for me, but did eventually load.)

    There's a Magnet link on the page, but the Torrent file itself didn't get archived. I put a copy at http://www.invisibill.net/Myspace.com.rar.torrent.

  17. VUZE is now malware by goombah99 · · Score: 3, Informative

    I opened up my trusty torrent client, Vuze, to download this and it asked to install an update. I let it, and then bad craziness broke out. I visibly opened all my browsers up, opened up their preference settings, downloaded an installed extensions, and set their default pages and search engine to Yahoo.

    Vuze is now malware. beware.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:VUZE is now malware by goombah99 · · Score: 1

      They came out with Vuze Leap which is a streamlined version of the original Leap. The install is simplified. It used to work really well. probably the simplest torrent client I've used.

      --
      Some drink at the fountain of knowledge. Others just gargle.
  18. Confiremd: :VUZE leap is now malware by Anonymous Coward · · Score: 1

    If you go to the Vuze support forum theres multiple posts yelling about vuze as mal ware. In the fearliest one the moderator denies this. Then in the others the moderator has posted how to change your settings back to another search engine. They fail to mention the extensions (like quickview) that Vuze installs in all of your browsers.

    the company can no longer be trusted.

  19. Re:MySpace by sa1lnr · · Score: 1

    It was a vast archive of horrendous web page design.

  20. Title is misleading? You can't browse passwords... by Sibelius · · Score: 1

    So far as I can tell, this dump contains only the SHA-1 hashes of passwords and no one has figured out how to invert SHA-1.

    The SHA-1 hashes of common, already-known passwords are available, so it's possible to invert hashes for these passwords. But, claiming that you can recover any of the passwords is wholly different from being able to confirm that a few well-known passwords were used by a segment of the population. Case in point: Of the ~420 million passwords in the leak, only about 7 million are in the top 55 board on leakedsource.com/blog/myspace, i.e., 1.6%.

    It would appear that, if anything, this is really a list of email addresses from circa 2013. It could also be interesting to look at the distribution of passwords by looking at frequencies of specific hashes.

  21. How to get rid of VUZE torrent client malware. by Anonymous Coward · · Score: 1

    Same thing happened to me. It appears Vuze installs the Spigot adware infection into your computer.
    For Chrome there's some hope of disinfecting your computer. Don't know how to fix safari or Firefox.

    navigate to /Users/YOUR_COMPUTER_USERNAME/Library/Application Support/Google/Chrome

    YOUR_COMPUTER_USERNAME must of course be replaced with your computer username

    grep -rnw '.' -e 'spigot' and grep -rnw '.' -e 'api.mybrowserbar'

    get in there and remove that shit.

    In the most annoying case, their genius software made itself the default restart page for whenever chrome unexpectedly crashes. This little tidbit is located deep inside a sort of huge JSON blob at ./Default/Preferences, inside Chrome directory