MySpace and Tumblr hacked, 500 million usernames for sale on the Dark Web

The hacker Peace_of_Mind, responsible for the recent posting of the LinkedIn and Naughty America databases, has struck again and has placed the MySpace (427 million usernames) and Tumblr (68 million usernames) databases online.

The hacker Peace_of_Mind (or Peace) is offering the database of the 427 million MySpace users for 2,500 euros (6 BTC) and the 68 million Tumblr accounts for 130 euros (0.4 BTC) – a price difference explained by the algorithm used to store passwords, very strong for Tumblr, making the data leak virtually unusable.

Like the LinkedIn database posted last week, the Tumblr and MySpace usernames do not appear to be recent.

The Tumblr database indeed relies on a hack that occurred in 2013, about which the blogging platform said very little. The MySpace database is not dated, but the emails used do not reflect current trends – today Gmail is used much more used than Yahoo and Hotmail combined, which the following ranking does not show:

Leaked Source top emails

List compiled by the site

Old hacks, current consequences

Although it turns out that the LinkedIn and Tumblr databases contain data from 2012 and 2013 respectively, the consequences of posting this information are still very current.

It is indeed common to keep the same password for several years, or even use it for several different services.

And hackers know this: a combination of an email address and a 4-year-old password still has a chance of working today, on one site or another.

A Reddit co-founder, known under the pseudonym KeyserSosa has specifically stated that over the last two weeks, no fewer than 100,000 user accounts of the site have had their password reset due to attempted account theft (“ATO” – Account TakeOver).

By combining the databases posted recently by the hacker Peace_of_Mind such as LinkedIn, Naughty America, Fling, Myspace and Tumblr, nearly 700 million usernames are exposed, of which 589 million contain e-mail addresses and passwords.

To limit risk as much as possible, only a single password for each service should be used and changed regularly. And if you’re afraid you won’t remember them, a password manager is a good alternative.