Paid Advertising
web application security lab

In Excess of 1000 Accounts Compromised

I don’t think this will come as much of a surprise to anyone, but it appears MySpace accounts are easily phished. This probably wouldn’t be so bad except that people put everything about their lifes into social networking sites and there are tons of minors on it and it is owned by an evil advertizing company and it was founded by people who build data mining software (okay, I’m not sure how those last two play a part in this but I still don’t like it).

Also people tend to use their password on more than one site and most of the people listed use their email addresses as usernames and email addresses are one of the primary functions for forgot password in websites. Shall I go on? Okay, so maybe this is a big deal.

Here’s the link to the list of compromised users. Of course a good chunk of them aren’t valid because they are phished accounts, but you get the point. I’m not sure what means were used to compromise them, but clearly it was some amount of social engineering to give these types of results, but even still, MySpace is feeling like a scary place to be right now.

10 Responses to “In Excess of 1000 Accounts Compromised”

  1. Kyran Says:

    Oh my. That’s a large amount of people. Imagine any one of them putting important information into a PM, or reading the PMs to find which contacts are real life friends. “Hey, can I borrow your CC#? Wife took mine on her vacation”

    It seems that its starting to show that ’social networking’ = ’social engineering’

  2. Ghozt Says:

    The sad part about this is that I told someone I knew to login to it just to see if they could pick out a phishing site. They logged in, and I told them their password, but then I went back later and did a page search to see how many more people had signed in after they did… they had already signed in 2 times previous to me sending them the link. I was wondering today what kind of vulnerability myspace had that let people send out bulletins with “spoofed” names, I guess it wasn’t a spoofed name, XSS vulnerability, or an SQL injection. It was a brain injection! (Pulls out photoshop and makes an lolable image).

  3. Kyran Says:

    Ghozt, I’m lazy when it comes to lulz-able photoshops. You should definetely make it.


    ‘ and 1=1–

    (picture of a cord in a brain)

  4. Disciple Says:

    My little javascript input worked there.. the list is now self-closing. hurray.

  5. neoeno Says:

    You’d be amazed. ‘coupla weeks ago I came across a list of no less than 10,000 email:password combinations. I’ve sent about 5000 notification emails to them so far… and that’s not a euphemism for spamming by the way, heh.

  6. Mysterio Says:

    I hate to dissapoint you peckerwoods, but I don’t access the list through webbrowser I do it throguh FTP. So your little XSS script didn’t do anything but give me a laugh. I’ve since changed it so you can’t do that again ;) Enjoy.

  7. Mysterio Says:

    Thanks for the publicity guys, but i’ve changed my submission script to submit plain text now. Sorry to dissapoint you. Although your little XSS script didn’t do much, it did give me quite a laugh. Thanks ;)

  8. apnovi Says:

    Definatley not a supprised…unfortunatley there isn`t much
    you can do for user stupidity. if there going to submit there password on a fake login they need educating.

    I myself have posted a fake myspace login site to attempt to raise a certain level of awareness to friends + associates, It does not record user input by the way! just displays a message letting the user know they have been duped!

    This whole situation is made slightly harder by the fact that myspace uses more than one standard login form and no ssl for login, oh and the fact that all these phising sites can directly render there images from myspace`s servers. I tried contacting there support team to ask them a few questions regarding matters like these….but just got some standard respone saying “Having trouble logging in?”

  9. RSnake Says:

    Peckerwoods? That’s a first! But this is making me even more glad I don’t have a myspace account!

  10. Awesome AnDrEw Says:

    Since the list is down I just went to Google and requested the cached version. Now it’s time for some e-raping.