Pixel Envy

Written by Nick Heer.

Seven Hundred Million

That’s approximately how many passwords to popular web services were leaked over the past week or so, as lists from LinkedIn, Tumblr, MySpace, and others have all showed up for sale on pseudonymous marketplaces.

Troy Hunt is the creator of Have I Been Pwned, a service that allows you to type in your email address or username and see if your account is among those compromised by major security breaches:

There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time.

The other is the size and these 4 breaches are all in the top 5 largest ones HIBP has ever seen. That’s out of 109 breaches to date, too. Not only that, but these 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.

Hunt doesn’t (yet) have a copy of the MySpace database, but you can assume that if you had a MySpace account at any point prior to 2013, its password is among those on the list. Whether that leak comprises 427 million or 360 million passwords is currently a bit ambiguous, but either way, it is by far the largest breach ever recorded by Have I Been Pwned.

If you needed yet another reminder to choose secure, long, and — most importantly — unique passwords, this is probably a good one.

Update: Troy Hunt has now added approximately 360 million MySpace passwords to the HIBP database. The list appears to be from 2008 or 2009, right at the tail end of MySpace’s popularity.