Myspace and Tumblr this week emerged as the latest in a string of mega breaches that resulted in the theft of millions of user IDs — not just recently but years ago.
“Over the period of this month, we’ve seen an interesting trend of data breaches,” wrote security researcher Troy Hunt, operator of the Have I Been Pwned website. “Any one of these four I’m going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing.”
The granddaddy of the bunch is the Myspace breach — 360 million records have been offered for sale, Hunt said.
The LinkedIn data breach led to 117 million records being offered for sale. Dark web customers also have been invited to purchase 50 million records Tumblr account records and 40 million stolen from Fling.com.
The data for sale is listed by someone with the handle “peace_of_mind,” who is “peddling a quality product,” Hunt said.
It’s not clear exactly how much data was stolen.
The Myspace breach may have involved as many as 427 million records, according to Sophos Senior Security Advisor Paul Ducklin.
Tumblr’s exposure may have involved 65 million records, according to some reports.
Old Data Wine in New Bottles
None of the breaches connected to the records for sale were recent — all occurred three or more years ago, Hunt pointed out.
It’s possible “the people currently selling [the data] are acting as proxies and aren’t the hackers themselves,” noted Andrew Komarov, chief intelligence officer at InfoArmor.
The delay, the size of the breaches, and the fact that the stolen data was offered this month may indicate the hacks were related, Hunt noted.
How many more such mega breaches could yet surface? How many have not yet been publicized because the stolen data hasn’t yet been offered on the market?
“We have information that the same hackers are preparing for the sale of data from a big social network from 2011 or 2012, along with many other resources,” InfoArmor’s Komarov told TechNewsWorld.
“It’s not going to stop until we wise up, or until breach information is no longer profitable to hackers for money or leverage,” observed Jon Rudolph, principal software engineer at Core Security.
“Some organizations [don’t realize] that hackers’ skills and their tools are becoming even more sophisticated,” remarked Craig Kensek, a security expert at Lastline.
“There will undoubtedly be more breaches,” he told TechNewsWorld.
The Risk to Users
Tumblr’s user data was hashed, using an uncommon type of hash developed by the company, said InfoArmor’s Komarov.
That may have led to the Tumblr hack data being offered for a measly 0.4255 bitcoins, equivalent to US$225, on the dark web.
However, data stolen from LinkedIn and Myspace were protected by simple, unsalted SHA-1 hashes, Sophos’ Ducklin noted.
“The biggest threat … is that people are horrible at choosing unique passwords,” Core Security Systems Engineer Bobby Kuzma told TechNewsWorld.
That said, the risk to users “is largely dependent on the decisions they’ve made online, the direct results of which services they trust, and information they share,” said Core’s Rudolph. “I don’t lose as much sleep over a hobby account [like Tumblr].”
Users should think about subscribing to password managers, Lastline’s Kensek told TechNewsWorld. They “create another layer of protection and are worth the investment.”
Meanwhile, Courion, Core Security, SecureReset and Bay 31 have teamed to form a new firm, taking the “Core Security” name, which will offer a multidisciplinary approach to enterprise security.
It will combine dynamic provisioning, identity management, access governance, vulnerability assessment and pen testing, said Rudolph, offering “a variety of tools which can be used to detect weak spots in the entire security chain, including the people and systems — prioritizing them, and showing what’s really possible for attackers.”