Four Major Site Login Databases Stolen

John Lister's picture

A series of massive but dated breaches of high-profile sites is yet another reminder of the dangers of poor password security. While the sites in question are taking preventative measures, experts warn that hackers could use the stolen details to access other sites.

In the past few weeks, hackers have offered up massive hauls of stolen login details from four major sites. They include details of 360 million accounts from MySpace and 65 million accounts from Tumblr, both lists appearing to date from 2013.

Questions Posed For Sites And Users

This follows 164 million account details from LinkedIn dating back to 2012, and 40 million account details from dating site Fling from 2011. As best as security researchers can tell, the accounts in question appear to be genuine, with the listed details correct at the time the data was stolen. (Source: vice.com)

At least one security researcher has questioned whether the appearance of so many huge databases of stolen details on the black market at the same time is a coincidence. The reports have also sparked questions about whether the companies involved knew about the breaches at the time and, if so, why they didn't publicly reveal them. (Source: troyhunt.com)

Stolen Data A Numbers Game

Although the stolen data may be a few years old, most users do not change their passwords regularly unless forced to - as such, there's a very good chance that a portion of the login details are still be valid. There's also a numbers game in play. For example, even if just one percent of people had failed to change their MySpace password since 2013 or earlier, that would still mean 3.6 million vulnerable accounts.

MySpace has now said it has invalidated the passwords for any account that is at risk of being breached, meaning users will need to verify their account and reset the password.

The biggest problem however is that many users use the same email address and password for multiple websites. Once hackers have stolen details, they can try them on other websites and services. Even if that doesn't get them access to confidential or sensitive data, it may allow them to use the accounts on other sites to spread messages containing malicious links, which can then lead to other users / machines becoming infected with malware.

What's Your Opinion?

Have you used any of the affected services? Do you regularly change passwords, even on sites that you no longer use but where you haven't closed the account? Do you use a different password for every site and if not, how do you decide when it is "safe" to reuse a password?

Rate this article: 
Average: 3.6 (7 votes)

Comments

Dennis Faas's picture

I use Roboform to randomly generate 16 to 24 character passwords for every site I login to (example: lsPN!!@Jl1mZTZPC). I then use one master password (my fingerprint or a text phrase) to access those passwords, which Roboform automatically inputs for me. The result is that if one site gets hacked, my password can't be used on another site. Also, because my passwords are strong, they are unlikely to be brute-force cracked by a bot.

cpdahl54's picture

It would help us if we knew the names of the sites! How else are we to know to check and change those passwords. Hacked sites seem to wait on notifying us of breaches until after they fix their weakness, which means too late to protect ourselves from damage.
As for myself, yes, I fairly routinely change my passwords but I know there are some sites I don't go to any more that are out of sight, out of mind. I just don't remember them.

LS_6386's picture

All 4 sites *are* named in the article...

Dennis Faas's picture

As stated in the article, the sites which were hacked are: MySpace, Tumblr, LinkIn, and Fling. Site names were indicated in the third and fourth paragraphs - I am not sure how you missed it.

LouisianaJoe's picture

I use the same passwords for many sites such as forums and newsletters. Who cares if you log in as me on this site? I do use unique passwords for sites that I spend money with or financial sites that monitor my money.

I do not use any of the sites involved here and if I did, they do not qualify as a secure site like a financial site.