Myspace, LinkedIn Hacks Could Compromise Workplace Security

Are your employees using the same passwords for work and personal accounts?

Aliah D. Wright By Aliah D. Wright June 2, 2016

The recent sale of online user data stolen from Myspace and LinkedIn highlights the need for human resource information technology professionals to make certain that employees aren’t using the same passwords for work and social media.

Time Inc., which owns Myspace, confirmed May 31 that the social networking site was hacked and that passwords, e-mail addresses and user names are now for sale online.

More than half a billion passwords have been stolen from Myspace, and 165 million LinkedIn accounts were compromised in May. Experts say the Myspace data was apparently stolen and sold by the same individual who hacked LinkedIn.

“While many people may feel Myspace isn’t as popular as Facebook, Twitter, etc., the bigger problem is password reuse,” said Dodi Glenn, vice president of cyber security at PC Pitstop, a security software company based in Sioux City, Iowa.

“With username and password reuse, an individual may use the same e-mail address or username and password on site A that they would use on sites B and C,” he said. “When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere.”

Company leaders have to make sure employees know not to use the same passwords at work that they use to access other systems, experts say.

According to a survey by password management app Password Boss, 59 percent of consumers use the same passwords to access multiple accounts because it’s too hard to remember a different password for each account. The average professional memorizes 19 passwords between personal and work accounts, according to another study.

As SHRM Online reported last year, 54 percent of those surveyed by Software Advice said that “their employers require them to use complex passwords; 51 percent are required to change their passwords regularly; 41 percent said they are locked out of their computer after too many failed attempts at entry; 39 percent are forbidden from reusing passwords; and just 29 percent are prohibited from using the default passwords that come with a system.”

Said Lesley Fair, a senior attorney at the Federal Trade Commission, which enforces corporate data security, “If you have personal information stored on your network, [then] strong authentication procedures, including sensible password hygiene, can help ensure that only authorized individuals can access the data.”

Added Glenn: “The use of weak passwords and unencrypted database passwords still presents a serious security problem to individuals and companies alike, and it’s one of the top causes of data breaches.”

Details of the Myspace Hack

“Shortly before the Memorial Day weekend, the Myspace technical security team became aware that stolen Myspace user login data was being made available in an online hacker forum,” according to a news release from Time Inc. “The compromised data is limited to a portion of Myspace usernames, passwords and e-mail addresses from the old Myspace platform prior to June 11, 2013—when the site was relaunched with significant steps to strengthen account security.”

The hacked Myspace information is currently for sale at the price of six bitcoin (worth about $2,800), online news site Vice reported.

Link to the LinkedIn Hack

According to PC Pitstop, the hacker responsible for the Myspace breach is the same one who sold the data of more than 165 million LinkedIn users in early May. Known as Peace, this hacker now claims to have more than 400 million e-mail addresses and passwords of Myspace users—“making it possibly the largest leaked password breach ever,” PC Pitstop stated in a news release.

Before Time confirmed the Myspace hack, the breach was initially announced in a blog post by the new search engine for leaked data, LeakedSource, on May 27. LeakedSource scours the Internet for data and accumulates hundreds of databases, allowing users the “ability to search and find whether their data is available online or not,” according to its website.

“The Myspace breach does not affect any of Time Inc.’s systems, subscriber information or other media properties and does not appear to include financial data of any kind,” Time stated in its news release.

Myspace says it is “notifying all affected users and working proactively with law enforcement authorities to resolve this issue. Myspace has also invalidated the passwords of all known affected users and is monitoring for suspicious activity that might occur on Myspace accounts.”

HR Implications

Because LinkedIn, the largest resume database in the world, is used by tens of thousands of recruiters worldwide, this breach should be especially concerning to HR professionals. When that hack was revealed, LinkedIn reportedly invalidated the compromised account passwords and alerted its 400 million users about the importance of choosing strong passwords.

“On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk,” LinkedIn stated in a news release.

Aliah D. Wright is an online editor/manager for SHRM.



Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.