Difference between revisions of "DBSA:2016-05271"
(Created page with "{{DBSAHEAD | TITLE=MySpace Compromise (Unconfirmed) | KEYWORDS=MySpace, compromise, passwords, email addresses, unsalted }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' MySp...") |
|||
| Line 1: | Line 1: | ||
{{DBSAHEAD | {{DBSAHEAD | ||
| − | | TITLE=MySpace Compromise | + | | TITLE=MySpace Compromise |
| KEYWORDS=MySpace, compromise, passwords, email addresses, unsalted | | KEYWORDS=MySpace, compromise, passwords, email addresses, unsalted | ||
}} | }} | ||
| Line 6: | Line 6: | ||
'''DBSA ID:''' {{PAGENAME}} | '''DBSA ID:''' {{PAGENAME}} | ||
| − | '''Regarding:''' MySpace Compromise | + | '''Regarding:''' MySpace Compromise |
'''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 17:25, 27 May 2016 (EDT) | '''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 17:25, 27 May 2016 (EDT) | ||
| Line 31: | Line 31: | ||
==Description== | ==Description== | ||
| − | MySpace is a social networking platform website created for users to communicate, recent iterations of the website have been targeted toward the independent music scene. On 27 May 2016 it has been reported that the backend database of the site had been compromised and analyzed by the attackers who indicate 427 million records are in their posession. Records contain usernames, hashed passwords that are not salted (making it easy to use a rainbow table attack). | + | MySpace is a social networking platform website created for users to communicate, recent iterations of the website have been targeted toward the independent music scene. On 27 May 2016 it has been reported that the backend database of the site had been compromised and analyzed by the attackers who indicate 427 million records are in their posession. Records contain usernames, hashed passwords that are not salted (making it easy to use a rainbow table attack) and email addresses. |
| + | |||
| + | Digibase has not directly observed the compromised records, so this is unconfirmed at this point in time, but users should deploy standard methodologies. | ||
==Mitigation/Solution== | ==Mitigation/Solution== | ||
| − | Users should change their Myspace passwords on a rolling basis to temporary passwords, once immediately and then again at | + | Users should change their Myspace passwords on a rolling basis to temporary passwords, once immediately and then again at 1 weeks. After 2 weeks users may reset to a more longterm password. Users should also ensure that their password is not shared among other sites, to which those passwords will also need to be reset. |
Users should also be highly suspicious of any contacts via email and use non-email methods to verify legitimacy of such email. Password resets should only be performed through known good links. | Users should also be highly suspicious of any contacts via email and use non-email methods to verify legitimacy of such email. Password resets should only be performed through known good links. | ||
Latest revision as of 16:27, 27 May 2016
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - MySpace Compromise
Keywords: MySpace, compromise, passwords, email addresses, unsalted
DBSA ID: 2016-05271
Regarding: MySpace Compromise
Writeup: Kradorex Xeron (talk) 17:25, 27 May 2016 (EDT)
Date: 2016 05 27
Last Modified: 20160527162739 by Kradorex Xeron
Who should take note: All MySpace Users
Classification
Priority: MODERATE
Rationale: Users need to ensure their information is secured.
Severity: HIGH
Rationale: Usernames, insecurely hashed passwords, email addresses among other information has reportedly been compromised
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: 427 Million records are reported to have been compromised
Description
MySpace is a social networking platform website created for users to communicate, recent iterations of the website have been targeted toward the independent music scene. On 27 May 2016 it has been reported that the backend database of the site had been compromised and analyzed by the attackers who indicate 427 million records are in their posession. Records contain usernames, hashed passwords that are not salted (making it easy to use a rainbow table attack) and email addresses.
Digibase has not directly observed the compromised records, so this is unconfirmed at this point in time, but users should deploy standard methodologies.
Mitigation/Solution
Users should change their Myspace passwords on a rolling basis to temporary passwords, once immediately and then again at 1 weeks. After 2 weeks users may reset to a more longterm password. Users should also ensure that their password is not shared among other sites, to which those passwords will also need to be reset.
Users should also be highly suspicious of any contacts via email and use non-email methods to verify legitimacy of such email. Password resets should only be performed through known good links.
