The login details of more than 360 million MySpace accounts have been leaked on the web, in what could be the largest data breach seen so far.
According to LeakedSource, which claims to have over 1.6 billion records in its database, the MySpace user information was provided by an anonymous user with an email address linked to the Russian-language exploit.im Jabber chat website. It is not clear how the data was obtained by the user.
The passwords in the data leak are protected by the SHA-1 cryptographic hash function, developed by the United States National Security Agency, which is no longer considered secure.
MySpace does not appear to have added any salting or random data to the SHA-1 hashed passwords to make decryption of the credentials harder, LeakedSource said.
Furthermore, most passwords were less than ten characters long, and few were sufficiently complex to be considered difficult to decrypt.
While iTnews was able to find old user credentials in the database dump on LeakedSource, it remains unclear how many accounts were fully compromised. Of the 360 million accounts, more than 111 million had a user name attached.
Vice.com's Motherboard blog was able to verify that five staffers' MySpace credentials were in the LeakedSource data dump.
LeakedSource will not reveal more than the first few characters of plaintext passwords for users to verify if their credentials have been leaked. The data is currently on sale on the dark web for 6 Bitcoin, or A$4244.
The data breach could be the largest yet. Its scale surpasses attacks on Adobe, which saw over 152 million account details leaked, and LinkedIn which recently had to admit a 2012 hack was much larger than previously thought, with well over 100 million user credentials leaked.