The same person who, last week, was selling data on more than 164 million LinkedIn users (cleaved from a 2012 breach), now claims to have 360 million emails and passwords of MySpace users.
The hacker, who’s known as Peace, says it’s from a past, unreported, breach.
This data was bound to leak eventually, according to LeakedSource, a hacked data search engine that also claims to have the credentials.
“It's the nature of information. ‘Three can keep a secret, if two of them are dead,’” the operator of LeakedSource told Motherboard. “Once data gets traded a few times, eventually it will make its way to somebody who is not trustworthy to keep it a secret, and then it will spread like branches of a tree.”
LeakedSource wrote that the data was provided by someone who goes by the alias Tessa88. But in an interview with Motherboard, the operator said they were unaware of the real origins of the data breach, such as who originally breached MySpace, nor who has had the data “this whole time” or when the company was hacked.
"Either the company never found out, or didn’t disclose it, neither publicly nor to its users. If all the data indeed comes from MySpace, this would be the largest breach of emails and passwords ever," Motherboard reports.
The database contains 427,484,128 passwords, but there are only 360,213,024 million emails.
Each record in the hacked dataset contains “an email address, a username, one password and in some cases a second password,” according to LeakedSource.
The passwords were originally “hashed” with the SHA1 algorithm, which is known to be weak and easy to crack, LeakedSource wrote.
LeakedSource’s operator said the site expects to decode 98 or 99 percent of them by the end of May.
MySpace still had a reported 50 million unique visitors per month as of 2015.