MySpace & Tumblr hacks result in millions of emails exposed

By Mark Kane

June 6th 2016

In the world of cyber security there are two types of companies, companies that have been hacked and those that don’t know yet they have been hacked.

Social media giants MySpace and Tumblr in recent years became victims of cyber-attacks resulting in customer emails and passwords being exposed. In recent days more details have come to light as data sets reveal exactly how many emails and passwords were leaked and that are currently up for sale via dark web sites.

MySpace hack 2011

The MySpace attack in 2011 was one of the more serious hacks to have happened in the last 5 years. It is now revealed that nearly 360.2 million email accounts including passwords were stolen and now are online for sale at just $2800.

How were they hacked?

The passwords were originally “hashed” with the SHA1 algorithm, which is known to be weak and easy to crack. What’s worse, the company didn’t “salt” the passwords in the hashing process. Salting means adding a series of random bytes to the end of passwords before hashing them to make them harder to be cracked.

News site Motherboard spoke to a hacker called “Peace” and an operator from Leaksource, which is a paid hacked data search engine that claims to have the MySpace data, said it’s from a past, unreported, breach.  They spoke via online chat and confirmed they had access to the leaked emails and passwords from MySpace.

To confirm that the list was authentic, Motherboard provided a few staffers emails to Leaksource that had MySpace accounts. Within a short time Leaksource came back with correct passwords for all accounts.

Tumblr Hack 2013

Last month Tumblr announced via their blog that in 2013 they had a breach and that a set of emails were obtained during the hack. Tumblr do stress that this hack did occur before the current owners Yahoo took over the company.

However what is not mentioned is exactly how many mails were stolen. Security researcher Troy Hunt, along with the help of Have I Been Pwned, were able to obtain data revealing over 65 million Tumblr accounts were stolen in 2013. The data shows both emails and passwords were taken during the hack. In this situation the passwords are safe because they have been scrambled, otherwise known as hashing. However, the emails can still be useful to scammers for phishing attacks.

It is unknown who exactly conducted the hacks on MySpace & Tumblr. Odds are we will never know which is very common when it comes to cyber-attacks. However, what is a worrying thought is that both    MySpace and Tumblr for some time never knew they were even hacked until news of the leak came out. Also the level of security they implemented at the time for their clients data was weak and they left themselves vulnerable to attack.

Many organisations reading this may think “Well this won’t happen to us”. You may think because you’re not a house hold name like MySpace or Tumblr you’re safe from attacks, but sadly you will be wrong. Hackers do not care where they get the data from. From their point of view if they can get your data there will be a buyer somewhere.

Stories like this plus the hacks of LinkedIn and Sony in recent times will only continue to happen. As organisations that hold customer data, it is in your best interests and is your responsibility to set up a framework to manage data breaches.

It is impossible to say you’re 100% secure from cyber-attacks, but if you can show you’re doing all that is possible to prevent an attack – and more importantly prepared to deal with an attack when it happens instead of finding out months later – then this will not only add value to your company but add confidence and reassurance to your clients.

What can you do?

The only thing you can do is be proactive about cyber security. By installing a framework that provides you with a system that helps manage issues like these is the only way to prevent your organisations brand being damaged by a data breach.  ISO 27001 gives you that framework.

ISO 27001 is the globally recognized standard for information security. The current version of ISO 27001:2013 provides a set of requirements for an information security management system (ISMS) . To be certified for ISO 27001 you will need to be audited by an external company. The benefit of being audited externally provides additional validation to your clients that you’re taking IT Security seriously and transparent about how you conduct your company IT operations.  Being certified with ISO 27001 will show your clients both current and future your organisation takes information security seriously and you’re prepared to manage and potential cyber-attack.

Person with laptop and hardhat ISO certification
Robert Lyons
Robert Lyons


Related ISO Certifications

Certification Europe small Rosette logo symbol

ISO 9001

Quality Management System

Quality Management System ISO 9001 is an internationally recognised global standard that confirms an …
Certification Europe small Rosette logo symbol

ISO 14001

Environmental Management System

ISO 14001 Environmental Management System ISO 14001 is the global standard for organisations wanting …
Certification Europe small Rosette logo symbol

ISO 45001

Occupational Health and Safety

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for …
Certification Europe small Rosette logo symbol

ISO 50001

Energy Management System

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve …
Certification Europe small Rosette logo symbol

ISO 27001

Information Security Management Systems

Information Security Management Systems ISO 27001 is the international standard for managing risks related …
Certification Europe small Rosette logo symbol

ISO 22301

Business Continuity Management Systems

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. …
Certification Europe small Rosette logo symbol

ISO 20000-1

IT Service Management Systems

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality …
Certification Europe small Rosette logo symbol

ISO 13485

Medical Devices

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements …
Certification Europe small Rosette logo symbol

ISO 27701

Privacy Information Management Systems

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management …
Certification Europe small Rosette logo symbol

BS 10012

Personal Information Management System

Personal Information Management System BS 10012 provides a framework for a Personal Information Management …
Certification Europe small Rosette logo symbol

ISO 27018

Protection of Personally Identifiable Information (PII)

Protection of Personally Identifiable Information (PII) ISO 27018 is the global standard organisations use …
Certification Europe small Rosette logo symbol

ISO 27017

Cloud Data Protection

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen …

Related Insights

How to make small business sustainability a priority

Small business sustainability is becoming a priority in the drive towards Ireland becoming net zero – here’s…

What is circular economy and what does it mean for organisations?

The circular economy is not a new phenomenon. Read our breakdown of what the circular economy is…