360m Myspace users' info stolen; Train hackers may use credit info; 1m WordPress sites vulnerable

Social networking website Myspace has been hacked, with some reports stating that the personal information of more than 360 million accounts were stolen in the attack.

Time Inc., which acquired Myspace earlier this year, confirmed in a statement that Myspace had been hacked.

“Shortly before the Memorial Day weekend, the Myspace technical security team became aware that stolen Myspace user login data was being made available in an online hacker forum,” the statement said. (This year Memorial Day — a federal US holiday — fell on 30 May.)

The statement said that Myspace is notifying all affected users.

Myspace also posted a blog about the incident, saying it believes that the Russian hacker ‘Peace’ is responsible for the attack.

According to the blog post, email addresses, Myspace usernames and Myspace passwords for the affected Myspace accounts created prior to 11 June 2013 are at risk following the attack.

“Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and Myspace username and password,” the Myspace blog post said.

Myspace said it had invalidated all user passwords for the affected accounts created prior to 11 June 2013 on the old Myspace platform.

“These users returning to Myspace will be prompted to authenticate their account and to reset their password,” it said.

Echoing so many other statements made following data breaches in recent times, Myspace added that “if you use passwords that are the same or similar to your Myspace password on other online services, we recommend you set new passwords on those accounts immediately”.

“We have also reported the incident to law enforcement authorities and are cooperating to investigate and pursue this criminal act,” Myspace said.

LeakedSource claimed to have information on the attack, stating that the stolen dataset contains 360,213,024 records.

“Each record may contain an email address, a username, one password and in some cases a second password,” LeakedSource said.

“Passwords were stored in SHA1 with no salting,” LeakedSource said. “The methods Myspace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it’s not encryption at all.”

Myspace said in its blog post that as part of a major site relaunch in 2013, it took “significant steps to strengthen account security”, and that the compromised data is related to the period before those strengthening measures were implemented.

It said it is currently using double salted hashes to store passwords.

Credit card info at risk after TrainLink attack

Attackers who obtained limited credit card information in a recent attack on NSW TrainLink’s online reservation system may be able to use that information in some circumstances, Transport for NSW (TfNSW) has revealed.

Late last week, TfNSW announced that NSW TrainLink had temporarily closed down its online reservations system after its booking system was compromised.

At the time, TfNSW said: “The NSW TrainLink database does not contain sufficient credit card information for it to be used in any transaction.”

Since that initial announcement, TfNSW has released a second statement saying that the police had indicated “that there is a risk that the limited credit card information in the compromised database could, in some circumstances, be used”.

TfNSW added that the compromised database is separate from the system used to process financial transactions, “which is not impacted by this event”.

NSW Trainlink is working with financial institutions and the police to assess the risk of the security compromise.

“Customers will be contacted if their cards have been compromised by this incident,” TfNSW said.

NSW TrainLink warned customers to be extra vigilant to any unsolicited requests for personal information, and to notify their financial institution if there is any unusual activity on their card.

More than one million WordPress sites vulnerable

Security company Sucuri has discovered a cross-site scripting vulnerability that it says is “very easy to exploit” and may affect more than 1 million websites.

In a post on Sucuri’s blog, Marc-Alexandre Montpas explained: “During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin.”

The Jetpack plugin is currently installed on more than a million WordPress sites, Montpas wrote.

According to Montpas, the vulnerability can be easily exploited via wp-comments, and Sucuri recommends that users update their Jetpack plugin as soon as possible.

“An attacker can exploit this vulnerability by leaving a comment containing a carefully positioned shortcode to inject malicious Javascript code on the vulnerable website,” Montpas explained.

The vulnerability could allow an attacker to hijack administrator accounts, inject SEO spam into the affected page and redirect visitors to malicious websites, he warned.

Image courtesy Myspace.