You Can Now Browse Through 427 Millon Stolen MySpace Passwords

Stan Schroeder, writing for Mashable:An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace -- some 427 million passwords, belonging to approx. 360 million users. In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from Myspace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.

security researcher my ass

[Anonymous Coward]

More like a criminal. Why are you people okay with this behavior?

Re:

[bmk67]

Who precisely is "you people"?

VUZE is now malware

[goombah99]

I opened up my trusty torrent client, Vuze, to download this and it asked to install an update. I let it, and then bad craziness broke out. I visibly opened all my browsers up, opened up their preference settings, downloaded an installed extensions, and set their default pages and search engine to Yahoo.

Vuze is now malware. beware.

Confiremd: :VUZE leap is now malware

[Anonymous Coward]

If you go to the Vuze support forum theres multiple posts yelling about vuze as mal ware. In the fearliest one the moderator denies this. Then in the others the moderator has posted how to change your settings back to another search engine. They fail to mention the extensions (like quickview) that Vuze installs in all of your browsers.

the company can no longer be trusted.

How to get rid of VUZE torrent client malware.

[Anonymous Coward]

Same thing happened to me. It appears Vuze installs the Spigot adware infection into your computer.
For Chrome there's some hope of disinfecting your computer. Don't know how to fix safari or Firefox.

navigate to /Users/YOUR_COMPUTER_USERNAME/Library/Application Support/Google/Chrome

YOUR_COMPUTER_USERNAME must of course be replaced with your computer username

grep -rnw '.' -e 'spigot' and grep -rnw '.' -e 'api.mybrowserbar'

get in there and remove that shit.

In the most annoying case, their genius software made

Re:

[goombah99]

They came out with Vuze Leap which is a streamlined version of the original Leap. The install is simplified. It used to work really well. probably the simplest torrent client I've used.

Much easier than

[fropenn]

going through MySpace's password recovery feature. Now, maybe I will be able to update my MySpace page for the first time in ten years!

Re:Much easier than

[wile_e_wonka]

I think the bigger deal isn't the risk of unauthorized people accessing ancient unupdated MySpace pages. I think the bigger deal is that a lot of people are using the that same password, now disclosed online, for their email login, bank login, etc. And the MySpace leak gives everyone the ability to look up a large swath of the population's passwords. A lot of not very tech-savvy people had MySpace accounts, and I haven't looked at the file, but it seems that a less-than-honest person could match people to passwords in a lot of these cases and then have that person's passwords for a lot of different sites.

Re:

[Richard Dick Head]

This. I no longer have access to my AOL email address, so this list is the only way to get my MySpace password X-D

Re: In unrelated news

[Anonymous Coward]

BeauHD is the editor who does that crap. This story was posted by manishs, so it doesn't have unrelated news. I'd be happy if Slashdot replaced BeauHD by bringing Timothy back.

Re:

[FatdogHaiku]

What? No "in unrelated news" link at the bottom of the story? What if I can't remember how to scroll down? I'll never hear about "Why Twitter Can't Even Protect Tech CEOs From Getting Hacked".

At least it's not "One weird trick to read 427 million passwords!"...

Re:

[Chatterton]

One productive use I see is to run this password database against the company logins to check if one is in this list to ask the user to change it. Because sooner or later, and most probably sooner, a hacker will do the same...

Re:

[ageoffri]

I'd be careful with doing this. It can create a legal liability, if InfoSec runs a password cracking tool against current hashes and succeeds in getting plain text passwords at that point the individual accountability becomes questionable. You can enforce procedures to keep InfoSec legally accountable, but a savvy lawyer will create doubt. The better answer is to run a password cracking tool against hashes that are older, 6 months to a year depending on your password change requirements. Then target any

Re:

[JackieBrown]

Most companies for you to change passwords at least every 90 days so the myspace password would be obsolete by now. They also don't usually register your corporate account with your home email.

Any company that is not forcing password changes and use their users home email as a login name are probably not going to run the test you suggested.

Re:

[sa1lnr]

It was a vast archive of horrendous web page design.

Re:

[Khyber]

Information wants to be free.

This is why most people simply can't keep their mouths shut.

Re:i don't get it

[Schezar]

They're not stolen. The original users of those passwords still have them. ;)

that's fine.

[pseudosero]

I forgot my password anyway

The real question is..

[Patent Lover]

What the heck is MySpace?

Re:The real question is..

[MobileTatsu-NJG]

It's that site that a lot of Slashdotters went to a long time ago and painfully discovered that it requires having friends.

Re:

[HalAtWork]

Friends don't let friends use animated gifs for backgrounds and front loading 20 autoplay audio tracks

Re:The real question is..

[Nidi62]

A website that allowed angsty middle-class teenagers to put up pages with horribly eye-sore backgrounds and embedded music players that automatically start playing music about how misunderstood they are and how horrible their lives are.

Re:

[Solandri]

I thought that was GeoCities.

Re: The real question is..

[Nidi62]

No, geocities was animated backgrounds and dancing babies.

Re:

[bmk67]

Nothing of importance.

Re:

[goombah99]

its a 2mmx1mm patch on a hard disk somewhere.

chmod +x passwords.txt

[Sloppy]

As always, you should exercise caution while downloading any file from an unverified source on the internet; at the very least, you should run it through a virus scanner before doing anything with it.

WTF?

Re:

[Anonymous Coward]

In fairness, trying to open a 13 GB text document might well cause some kind of previously unknown buffer overflow in Notepad. Which probably runs in kernel mode to do some font rendering, given Microsoft's past form.

Re:

[PraiseBob]

It's crazy, but true. Windows users have to live in constant paranoia of their machine executing any random download, usb stick, cd's, emails, etc.

Mirror

[InvisiBill]

http://wayback.archive.org/web/*/https://myspace.thecthulhu.com/ [archive.org] (The original was slow for me, but did eventually load.)

There's a Magnet link on the page, but the Torrent file itself didn't get archived. I put a copy at http://www.invisibill.net/Myspace.com.rar.torrent [invisibill.net].

Site seems down

[elliott666]

Wow, it's been so long since I've seen a site get slashdotted that I almost forgot about the term!

Strange

[eulernet]

The site:
https://haveibeenpwned.com/ [haveibeenpwned.com]

tells me that my MySpace account has been pawned, but I don't remember creating a MySpace account.

Anyone have the torrent link?

[wbr1]

The site is slashdotted. Would like to snag this.

Re:

[wbr1]

Got it: magnet link: magnet:?xt=urn:btih:17E6FC94DAE0A3168301012C290A53A2BD314A28&dn=Myspace.com.rar&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce&tr=udp%3a%2f%2f9.rarbg.com%3a2710%2fannounce&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&tr=http%3a%2f%2fbt.careland.com.cn%3a6969%2fannounce&tr=udp%3a%2f%2fexplodie.org%3a6969%2fannounce&tr=http%3a%2f%2fmgtracker.org%3a2710%2fannounce&tr=http%3a

Re:

[wbr1]

Better way: http://webcache.googleusercont... [googleusercontent.com]

Title is misleading? You can't browse passwords...

[Sibelius]

So far as I can tell, this dump contains only the SHA-1 hashes of passwords and no one has figured out how to invert SHA-1.

The SHA-1 hashes of common, already-known passwords are available, so it's possible to invert hashes for these passwords. But, claiming that you can recover any of the passwords is wholly different from being able to confirm that a few well-known passwords were used by a segment of the population. Case in point: Of the ~420 million passwords in the leak, only about 7 million are in the