You Can Now Browse Through 427 Millon Stolen MySpace Passwords (mashable.com) 64
Stan Schroeder, writing for Mashable:An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace -- some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from Myspace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.
security researcher my ass (Score:1)
More like a criminal. Why are you people okay with this behavior?
Re: (Score:2, Funny)
Who precisely is "you people"?
VUZE is now malware (Score:4, Informative)
I opened up my trusty torrent client, Vuze, to download this and it asked to install an update. I let it, and then bad craziness broke out. I visibly opened all my browsers up, opened up their preference settings, downloaded an installed extensions, and set their default pages and search engine to Yahoo.
Vuze is now malware. beware.
Confiremd: :VUZE leap is now malware (Score:1)
If you go to the Vuze support forum theres multiple posts yelling about vuze as mal ware. In the fearliest one the moderator denies this. Then in the others the moderator has posted how to change your settings back to another search engine. They fail to mention the extensions (like quickview) that Vuze installs in all of your browsers.
the company can no longer be trusted.
How to get rid of VUZE torrent client malware. (Score:1)
Same thing happened to me. It appears Vuze installs the Spigot adware infection into your computer.
For Chrome there's some hope of disinfecting your computer. Don't know how to fix safari or Firefox.
navigate to /Users/YOUR_COMPUTER_USERNAME/Library/Application Support/Google/Chrome
YOUR_COMPUTER_USERNAME must of course be replaced with your computer username
grep -rnw '.' -e 'spigot' and grep -rnw '.' -e 'api.mybrowserbar'
get in there and remove that shit.
In the most annoying case, their genius software made
Re: (Score:2)
They came out with Vuze Leap which is a streamlined version of the original Leap. The install is simplified. It used to work really well. probably the simplest torrent client I've used.
Much easier than (Score:4, Funny)
Re:Much easier than (Score:5, Insightful)
I think the bigger deal isn't the risk of unauthorized people accessing ancient unupdated MySpace pages. I think the bigger deal is that a lot of people are using the that same password, now disclosed online, for their email login, bank login, etc. And the MySpace leak gives everyone the ability to look up a large swath of the population's passwords. A lot of not very tech-savvy people had MySpace accounts, and I haven't looked at the file, but it seems that a less-than-honest person could match people to passwords in a lot of these cases and then have that person's passwords for a lot of different sites.
Re: (Score:1)
Re: In unrelated news (Score:2, Informative)
BeauHD is the editor who does that crap. This story was posted by manishs, so it doesn't have unrelated news. I'd be happy if Slashdot replaced BeauHD by bringing Timothy back.
Re: (Score:3)
What? No "in unrelated news" link at the bottom of the story? What if I can't remember how to scroll down? I'll never hear about "Why Twitter Can't Even Protect Tech CEOs From Getting Hacked".
At least it's not "One weird trick to read 427 million passwords!"...
Re: (Score:2)
One productive use I see is to run this password database against the company logins to check if one is in this list to ask the user to change it. Because sooner or later, and most probably sooner, a hacker will do the same...
Re: (Score:2)
Re: (Score:2)
Most companies for you to change passwords at least every 90 days so the myspace password would be obsolete by now. They also don't usually register your corporate account with your home email.
Any company that is not forcing password changes and use their users home email as a login name are probably not going to run the test you suggested.
Re: (Score:2)
It was a vast archive of horrendous web page design.
Re: (Score:2)
Information wants to be free.
This is why most people simply can't keep their mouths shut.
Re:i don't get it (Score:4, Funny)
They're not stolen. The original users of those passwords still have them. ;)
that's fine. (Score:1)
The real question is.. (Score:3, Insightful)
Re:The real question is.. (Score:5, Funny)
It's that site that a lot of Slashdotters went to a long time ago and painfully discovered that it requires having friends.
Re: (Score:2)
Friends don't let friends use animated gifs for backgrounds and front loading 20 autoplay audio tracks
Re:The real question is.. (Score:5, Informative)
Re: (Score:2)
Re: The real question is.. (Score:2)
Re: (Score:2)
Nothing of importance.
Re: (Score:2)
its a 2mmx1mm patch on a hard disk somewhere.
chmod +x passwords.txt (Score:4, Informative)
WTF?
Re: (Score:1)
In fairness, trying to open a 13 GB text document might well cause some kind of previously unknown buffer overflow in Notepad. Which probably runs in kernel mode to do some font rendering, given Microsoft's past form.
Re: (Score:2)
Mirror (Score:2)
http://wayback.archive.org/web/*/https://myspace.thecthulhu.com/ [archive.org] (The original was slow for me, but did eventually load.)
There's a Magnet link on the page, but the Torrent file itself didn't get archived. I put a copy at http://www.invisibill.net/Myspace.com.rar.torrent [invisibill.net].
Site seems down (Score:1)
Wow, it's been so long since I've seen a site get slashdotted that I almost forgot about the term!
Strange (Score:2)
The site:
https://haveibeenpwned.com/ [haveibeenpwned.com]
tells me that my MySpace account has been pawned, but I don't remember creating a MySpace account.
Anyone have the torrent link? (Score:2)
Re: (Score:3)
Re: (Score:2)
Title is misleading? You can't browse passwords... (Score:1)
So far as I can tell, this dump contains only the SHA-1 hashes of passwords and no one has figured out how to invert SHA-1.
The SHA-1 hashes of common, already-known passwords are available, so it's possible to invert hashes for these passwords. But, claiming that you can recover any of the passwords is wholly different from being able to confirm that a few well-known passwords were used by a segment of the population. Case in point: Of the ~420 million passwords in the leak, only about 7 million are in the