May 31, 2016

Huge Tumblr and MySpace (yes, MySpace!) data breaches

News Threats

Chances are that if you used Myspace or Tumblr, you may be in for something of a headache. You see, it’s been reported that both social networks have had troves of user login data stolen and available, for the right price.

shutterstock_289190837_OK

The data from Tumblr — about 65 million users’ worth — is several years old, Tumblr reported. And for those whose immediate response to this story was “MySpace still exists?” guess what? Several hundred million MySpace passwords make this one of the largest heists to date. On the other hand, the reported asking price of $2,800 for the lot of them reminds us that it’s been a while since we even thought about the once dominant site.

All data breaches matter

Social media data breaches may not cause the kind of panic we see with breaches of financial institutions, but perhaps they should. After all, it takes some effort to gain access to those records, and no one would bother if there were no value to the data.

Although MySpace might not have your credit card information, for example, access to your account gives thieves access to a variety of information that could prove useful — from personal details useful in social engineering to login details for more directly profitable accounts, a distinct possibility given many users’ propensity to reuse passwords.

“The potential risk is high for this breach to bleed over into other stories down the road, notes Brian Bartholomew, a member of Kaspersky Lab’s Global Research and Analysis Team (GReAT). “These credentials could be used by criminals to access anything from bank accounts, to mail accounts, to other online systems. The possibilities are vast with respect to how this information might be used in the future.”

And whereas Tumblr reported that it “salted” its encrypted user login data, making the data much harder to crack, MySpace merely hashed the information with the SHA1 algorithm.

Protecting your accounts

Some recommendations for  login and password management.

  • Create strong passwords — and make a unique password for each account you hold. Sure, it’s tempting to use passwords that are easy to remember and type, and perhaps even more tempting to repeat the same password all over the place. The flip side of that coin, however, is having to mop up the mess if all of your accounts become compromised as the result of one data breach.
  • Try a password manager, such as Kaspersky Password Manager, to simplify and ease the pain of not being able to access every account with classics like qwerty1, 123456, or the ever popular password (come on, people!).

  • Enable two-factor authentication in every account that supports it. Two-factor authentication, although not 100% hack-proof, is one of the most effective ways available to safeguard your accounts. If it seems like a minor hassle, weigh that brief inconvenience against the headaches of clearing up an identity theft. With two-factor authentication enabled, entering the right login credentials triggers the sending of a code, typically by SMS to your phone. Essentially, it’s a check to ensure you are the right person, not merely a person in possession of your login info.

Go ahead and reset your passwords right now. We’ll wait.