It’s been a busy time for data breaches in the social media world with Myspace, LinkedIn and Twitter all experiencing them. In each of these cases, the cybercriminals behind the breaches were after usernames and passwords. The most commonly used passwords today are, “password” and “123456,” and it only takes a hacker .29 milliseconds to crack them.
In 2008, Myspace was the world’s largest social networking site. While it is no longer in its prime, that didn’t stop the cybercriminal, who goes by the name of “Peace,” from targeting it for a data breach. In May 2016, a massive set of data was stolen from Myspace to what’s said to be one of the largest breaches in history.
Peace stole data from over 360 million Myspace accounts. Each stolen record contained an email address and password. The stolen data was several years old, but it is still valuable on the dark web because people often reuse passwords for multiple sites and accounts, from online banking to eCommerce accounts. If a hacker gets their hands on the correct email and password combination, they can break into the victims’ accounts on various sites. Peace put the hacked Myspace data for sale on The Real Deal, a dark web market and asked for 6 Bitcoin, about $3,000, in exchange for the data.
Myspace CFO, Jeff Bairstow, responded to the breach with, “We take the security and privacy of customer data and information extremely seriously—especially in an age when malicious hackers are increasingly sophisticated and breaches across all industries have become all too common.”
With an average of 400 million active monthly users, it makes sense why LinkedIn would be the target of a data breach. In 2012, LinkedIn was hit with a breach and more than 6.5 million passwords were stolen from the site’s database. In May 2016, the professional networking site revisited the data breach.
Peace, the same Russian hacker responsible for the Myspace data breach, put the stolen LinkedIn data from 2012 up for sale on the dark web. However, it turned out that over 100 million passwords were stolen, much more than the original 6.5 million estimated.
LinkedIn Chief Information Security Officer, Cory Scott, posted in a statement, “Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012,” Scott wrote.
Scott asked all users reset their passwords. “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” he said. “We have no indication that this is as a result of a new security breach.”
Just like Myspace and LinkedIn, Twitter found its user’s data on the dark web in June 2016. Twitter has over 300 million active users and 32 million Twitter login credentials were put up for sale for 10 bitcoin, which is just under $6,000.
Twitter reassures its users that its systems were not breached. Instead, it’s believed that hackers used malware to collect the information by combining data from other recent breaches. Hackers can mine exposed data and check if credentials work for other sites. When an individual uses the same username and password combination on multiple sites, an attacker could potentially break into several of their accounts.
Twitter Trust and Information Security Officer, Michael Coates, tweeted, “We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached.”
You can’t control the company storing your information, but you can control how sophisticated your passwords are. Follow these tips to creating a strong password:
Strong Password Tips:
If you have trouble remembering your password, try using phrases you will remember. For example, if spaghetti is your favorite food, your password could be, “iLuv$pgh3ttI.” When is your sister’s birthday? If it’s on June 1, try “[email protected]/1.” The moral of the story is, always use strong passwords and don’t use the same password for multiple accounts.
In addition to keeping your passwords secure, you can keep cybercriminals out with a web application firewall (WAF). The SiteLock TrueShield web application firewall can differentiate between malicious and legitimate traffic, allowing only legitimate traffic to enter your site.