Anatomy of a Breach

Anatomy of a Breach: The Mega-Breach Marketplace — Myspace, LinkedIn, and Tumblr Hit the Dark Web

> series: anatomy_of_a_breach —— part: 089 —— datasets: myspace_360M_linkedin_117M_tumblr_65M —— total: 542,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2016 13 min read
data-breach myspace linkedin tumblr dark-web credential-stuffing mega-breach series
Breach #089

542 million credentials. For sale. Right now.

In May 2016, a hacker operating under the alias 'Peace' (or 'peace_of_mind') listed three enormous credential datasets for sale on the dark web marketplace TheRealDeal: Myspace (360 million accounts with SHA-1 hashed passwords), the full LinkedIn dataset (117 million accounts — nearly 20 times the 6.5 million initially disclosed in 2012), and Tumblr (65 million accounts with salted SHA-1 hashes). Each dataset was priced at just a few Bitcoin — making half a billion credentials available to anyone with minimal cryptocurrency.

The datasets were not from new breaches — they were the delayed surfacing of breaches that had occurred years earlier (Myspace ~2013, LinkedIn 2012, Tumblr 2013). The pattern revealed a disturbing reality: breaches can remain undisclosed for years while stolen data circulates privately among criminals, only becoming public when someone decides to monetise them on the open market. For those years, affected users had no warning that their credentials were compromised — and no reason to change passwords that were being actively exploited.

The Scale
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Half a billion credentials and what they enable.

542 Million Email-Password Pairs
The combined datasets contained 542 million email-password combinations — a significant proportion of the world's internet-connected population. For attackers conducting credential-stuffing attacks, this was an enormous library of verified credentials to test against every other service. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when your users' credentials appear in these datasets.
Years Between Breach and Disclosure
The Myspace, LinkedIn, and Tumblr breaches all occurred years before the data surfaced publicly. During those years, the credentials were circulating privately among criminals. This 'dark period' is why <a href="/cyber-essentials">Cyber Essentials Danzell's</a> MFA auto-fail criterion exists — MFA protects users even when their passwords have been compromised without their knowledge.
Password Reuse Makes Every Breach Cascade
A compromised Myspace password becomes a weapon against Gmail, corporate VPNs, and banking platforms when users reuse passwords. The <a href="/blog/anatomy-of-a-breach-credential-dump-summer">credential dump summer of 2012</a> demonstrated this cascade effect. By 2016, the scale had grown by an order of magnitude. Our <a href="/penetration-testing/social-engineering">security awareness assessments</a> address password reuse culture.
Credentials as a Commodity
At just a few Bitcoin per dataset, credentials had become a bulk commodity. The economics of cybercrime had shifted: acquiring credentials was nearly free, making the return on investment for credential-stuffing attacks extremely favourable. The only defence that changes this calculus is MFA — making stolen credentials worthless without the second factor.
Defence

MFA is the only answer when half a billion credentials are for sale.

When 542 million credentials are available for purchase, the question is not whether your users' passwords have been compromised — it is how many times. The only control that remains effective when passwords are compromised at this scale is multi-factor authentication. Cyber Essentials Danzell makes MFA an auto-fail criterion because eight years of this series have proved it is the single most impactful defence against credential-based attacks.

Dark web monitoring through SOC in a Box alerts your organisation when employee credentials appear in breach databases — enabling forced password resets before the credentials are used. Our penetration testing includes credential-stuffing simulation to test whether your authentication systems would resist automated attacks using known-compromised passwords. And UK Cyber Defence provides incident response when credential compromise leads to account takeover.

Credential Security at Scale

542 million credentials for sale. MFA is the only answer. Is yours deployed?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors dark web breach databases. Our <a href="/penetration-testing">penetration testing</a> simulates credential-stuffing attacks.

Commission a Credential Security Assessment Next: DNC Hack
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2012

Anatomy of a Breach: LinkedIn — 117 Million Passwords and the Credential Breach That Kept Growing

Breach #042. In June 2012, approximately 6.5 million LinkedIn password hashes were posted to a Russian hacking forum. The passwords were stored using unsalted SHA-1 — a weak hashing method that allowed rapid cracking. Four years later, it emerged that the actual breach had compromised 117 million accounts — nearly 20 times the original estimate. LinkedIn's breach became the defining credential compromise of the decade, fuelling credential-stuffing attacks that persisted for years.

data-breach linkedin
13 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 28 February 2019

Anatomy of a Breach: 620 Million Accounts from 16 Hacked Sites — The Dark Web Supermarket

Breach #122. In February 2019, a hacker operating under the alias 'gnosticplayers' listed 620 million accounts stolen from 16 websites for sale on the Dream Market dark web marketplace for less than $20,000 in Bitcoin. The affected sites included Dubsmash (162M), MyFitnessPal (150M), MyHeritage (92M), ShareThis (41M), Animoto (25M), and others. Within weeks, the same hacker added further batches — ultimately offering over 1 billion accounts from 44 companies. The sales demonstrated the industrialisation of breach data commerce.

data-breach gnosticplayers
12 min read
All Posts Get in Touch