What happened
According to public breach records, the MySpace data breach on July 1, 2008 is reported to have exposed the personal information of 359,420,698 accounts.
In approximately 2008, MySpace suffered a data breach that exposed almost 360 million accounts. In May 2016 the data was offered up for sale on the "Real Deal" dark market website and included email addresses, usernames and SHA1 hashes of the first 10 characters of the password converted to lowercase and stored without a salt. The exact breach date is unknown, but analysis of the data suggests it was 8 years before being made public.
Passwords in this breach were reportedly stored as SHA-1 hashes.
Login data for roughly 359 million MySpace accounts created before June 11, 2013 was stolen in a breach dated to around July 2008, but it stayed hidden until May 2016, when a hacker using the alias "Peace" listed the data for sale on the dark web marketplace "The Real Deal" for about 6 bitcoin. The exposed records contained email addresses, usernames, and passwords stored as unsalted SHA-1 hashes of only the first 10 characters of each password converted to lowercase — a weak scheme that made the credentials relatively easy to crack. After the data surfaced, MySpace's then-owner Time Inc. confirmed the incident and invalidated affected passwords.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | MySpace |
| Date | July 1, 2008 |
| Accounts affected | 359,420,698 |
| Domain | myspace.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by MySpace; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your MySpace password, and change it anywhere else you reused that same password — the weak SHA-1 hashing means these passwords were crackable.
- Enable two-factor authentication on your email and other important accounts, since exposed email addresses paired with cracked passwords fuel credential-stuffing attacks.
- Treat any account that shared this email/password combination as compromised and set a unique password for each one (a password manager helps).
- Watch for phishing emails targeting your exposed email address that may reference old MySpace activity to appear legitimate.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: MySpace Data Breach
- Time Inc. Confirms Massive MySpace Data Breach - NetSec.News
- Recently confirmed Myspace hack could be the largest yet - TechCrunch
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →