Time Inc. confirmed just before the Memorial Day weekend that data was compromised from the MySpace social network. The company issued a statement that the compromised data is limited to MySpace usernames, passwords and email addresses from an old version of the platform—and stressed that stronger security controls were put in place in June of 2013. MySpace itself is all but forgotten, and most of the estimated 360 million affected users probably don’t even realize they even have MySpace account credentials—which is the problem.
“This isn’t the first time MySpace has suffered a breach, and despite their repeated rebranding and shifts in “focus” (from general social network, to “music-centric” social network), it’s hard to imagine it’ll be the last,” says Zach Lanier, Director of Research at Cylance and co-author of “Android Hacker’s Handbook”. “It still has a surprisingly large user base, even though most of those may just be stale accounts. The technical controls in place at the time of the original hack were certainly not up to today’s ‘standards’, and even then there was far less emphasis on bolstering security controls—let alone public awareness of these incidents—than now.”
I agree with Lanier about the risks posed by these stale accounts. This breach, and the reality of the dangers of these zombie accounts may be new, but the concept of zombie accounts posing a risk is not. I wrote about it back in January of 2013—specifically referencing MySpace:
I haven’t used MySpace.com in ages; it has probably been at least five years since I’ve even logged in to the once-dominant social network. But as it turns out, I still have an active account there. I needed a couple tries to recall (or guess, really) my login email and password, but I got in.
Once I logged in, I found information about where I lived and worked, and a few invitations to play online games from early 2009, as well as connections to friends and their personal information. I can all but guarantee that none of those friends has thought about MySpace in years, either.
Fast forward three-plus years, and you can see that this is still a serious security concern.
“So here’s the issue–we can’t write these off as ‘old breaches’ and ignore them,” cautions Geoff Webb, Vice President of Micro Focus. “The reality is that people, as we know, re-use passwords. So instead of something that might just be of historical interest – this might actually be a huge haul of relevant passwords that are still in use on other sites. All the attackers have to do is connect the dots between old social accounts and current users. Given how prone we are to overshare on social media – that might not actually be all that hard.”
What You Need to Know
Mike Raggo, Chief Research Scientist for ZeroFOX, explains, “As these accounts are compromised, users of these platforms can expect phishing campaigns to follow as a method of exploiting additional accounts or targeting other data on the computers and mobile devices used to access those accounts.”
Raggo also suggested that users should not only reset their passwords using strong passwords as well as two-factor authentication when possible, but be particularly careful of reviewing a social media link before you click on it to avoid being a victim of further attacks. He also said this might be a good time to revisit your bio and reconsider how much personal information you share such as your birthdate, home address, phone number, and more.
According to Cris Thomas, strategist for Tenable Network Security, much of the immediate risk has already been addressed. “With MySpace already invalidating all the impacted passwords, the big risk to end users is going to be from spam, phishing and password reuse. Half a billion valid email addresses that are only a few years old would be a great asset for any spammer. Those emails addresses would also be of great use to anyone doing targeted phishing campaigns. Imagine a fake email pretending to be from MySpace telling users they needed to update personal information, only the email is fake and the attackers are harvesting any entered information to use elsewhere. And of course anyone who has reused that same email and password on a different website is at risk.”
Thomas added that—other than the shear number of accounts impacted—in this breach it reads very similar to other recent breaches in the news. Breaches like this continue to happen, and the only advice to offer to end users is to use a different password on every site. Five years from now, or maybe next week, the user list from that site may get breached and dumped on the dark web.