The largest database of stolen passwords ever is now online for everyone to see.
Image: Marcos Mesa Sam Wordley/Shutterstock
If you're still wondering what terrible password you picked in high school when you signed up for MySpace, the hottest social network at the time, we've got some good news for you.
The entire database of 427 millions password that were stolen years ago from the once great social network MySpace is now available online for anyone to see. Thomas White, an independent security researcher who goes under the handle TheCthulhu, posted it on his site on Wednesday.
If at this point you're thinking: Who cares about my old MySpace password? You're missing the point. Probably no one wants to get into your MySpace account, but there's a good chance you, and millions of others, have at some point used that same password somewhere else, perhaps somewhere more interesting (say, PayPal). So, once again, please change your passwords on all sites where you reused it, and for the future, please stop reusing passwords.
Please change your passwords on all sites where you reused it, and for the future, please stop reusing passwords.
"The following contains the alleged data breach from Myspace dating back a few years," White wrote, providing a link to a compressed file of more than 15 GB. "As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose."
At the end of May, a hacker who goes by the name Peace or Peace of Mind, posted the database for sale on the dark web marketplace The Real Deal. A few days later MySpace reacted to the news by forcing a password reset on all its users. So if you're thinking you can now break into your high school girlfriend's MySpace, you're out of luck. (Also, that's illegal and creepy, so please don't even think about it.)
Still, this data can now be stashed away by password collectors, or consulted by password researchers. Of course, miscreants can also try these passwords on other sites, in the hopes that the would-be victim reused the same password. (Again, if you think you have used your MySpace password elsewhere, please change it!)
The passwords in the database are not in their original, cleartext form, but are all "hashed" with the SHA1 algorithm, a form of encoding passwords that's known to be weak and relatively easy to crack. So if you want to see your password, you'll have to crack it first, which can be done using easy-to-use online tools.
"Eventually data will make it to the complete blatant clear web."
The surfacing of the MySpace stolen data on the open internet is the inevitable end to the lifecycle of hacked data.
"Eventually data will make it to the complete blatant clear web, just sometimes we get it first," a LeakedSource operator told me in an online chat.
After MySpace got hacked, the stolen data got traded and abused in the shadows for years, until it surfaced on The Real Deal and on the data breach awareness site LeakedSource last month. At that point, the cat was out of the bag and it was only a matter of time until it became widely available.