Last week we reported that Myspace was the subject of a data breach, which led to the leak of over 427 million passwords. Today, the owning company, Time Inc, has confirmed that its microblogging service suffered a data breach, and iterated over several details that we were aware of.
In a statement posted on its website, the company states:
Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform.
We believe the data breach is attributed to Russian Cyberhacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine LeakedSource that the data is from a past breach. This is an ongoing investigation, and we will share more information as it becomes available.
The statement continues on to explain the types of data that were leaked during the breach, which includes email addresses and usernames, along with one or more passwords per account. Further, the firm explains what they are doing to protect users that were affected, saying that any affected accounts created before June 11, 2013, will have their passwords invalidated, and be requested to authenticate their account and set a new password once they log-in.
Crucially, Myspace's development team have taken steps to strengthen the security since the breach, with the re-launch of its platform in the summer of 2013. Previously passwords were hashed and salted, but used a compromised and insecure method, known as SHA-1. One of the steps taken includes double-salted hashes for storing passwords. As part of the firm becoming aware of this breach, it has also taken "additional security steps" recently, although it was not outlined as to what they could be.
Law enforcement has been informed and Myspace confirms that it is cooperating with the investigation. A Russian hacker, known only as 'Peace', has been attributed to the breach. Peace has also shown up in another recent leak: 60 million passwords from Tumblr.