The Data
Every day we become aware of data breaches, which took place some time ago. Sometimes these are months or even years. The data could be old of questionable value or origin, they can be fake or redacted. We try our best to confirm data authenticity and report these breaches to victims.
Media wrote a lot this month about data breach of LinkedIn users’ credentials from 2012, because the database appeared on black market and was bought by data collector companies. Before that in May logins and passwords of Tumblr users surfaced after breach in 2013. This purchase without a doubt triggered a chained reaction and owners of similar databases started to sell or just publish a long-time ago obtained information. We have discovered that people on multiple websites have started sharing database dumps or just login/password pairs in CSV format, dated back to 2013 and older (according to timestamps of shared files).
On May 27 LeakedSource claimed to have in possession 360 million emails and passwords of users at MySpace, once famous social network. Most likely, this is not a fresh breach too.
Most of these passwords are outdated and cannot be used against the breached service, however users might use the same passwords for other online services, such as email, plenty of websites or event corporate resources and bank accounts. We urge all our readers to use password managers with randomly generated password for each resource to avoid possible data leaks in the future.
Legal consequences for reporting a data breach
Reporting a data breach is a tricky thing, as it appears. Some companies and governmental agencies do not like it. As it happen with leak of Mexican voters database, we wrote last month, the researcher was accused of illegal access to classified information while trying to report the issue.
Another case in USA ended with FBI raid on researcher’s house after reporting discovery of private medical records on a public server.