Readers send along their notifications from two recently disclosed breaches.
First, from MySpace:
From: Myspace Legal
Date:2016/06/14 11:41 AM (GMT-05:00)
To: <redacted>
Subject: Critical Information About Your Myspace AccountNotice of Data Breach
You may have heard reports recently about a security incident involving
Myspace. We would like to make sure you have the facts about what happened,
what information was involved and the steps we are taking to protect your
information.What Happened?
Shortly before the Memorial Day weekend (late May 2016), we became aware
that stolen Myspace user login data was being made available in an online
hacker forum. The data stolen included user login data from a portion of
accounts that were created prior to June 11, 2013 on the old Myspace
platform.We believe the data breach is attributed to Russian Cyberhacker ‘Peace.’
This same individual is responsible for other recent criminal attacks such
as those on LinkedIn and Tumblr, and has claimed on the paid hacker search
engine LeakedSource that the data is from a past breach. This is an ongoing
investigation, and we will share more information as it becomes available.What Information Was Involved?
Email addresses, Myspace usernames, and Myspace passwords for the affected
Myspace accounts created prior to June 11, 2013 on the old Myspace platform
are at risk. As you know, Myspace does not collect, use or store any credit
card information or user financial information of any kind. No user
financial information was therefore involved in this incident; the only
information exposed was users’ email address and Myspace username and
password.What We Are Doing
In order to protect our users, we have invalidated all user passwords for
the affected accounts created prior to June 11, 2013 on the old Myspace
platform. These users returning to Myspace will be prompted to authenticate
their account and to reset their password by following instructions at
https://myspace.com/forgotpasswordMyspace is also using automated tools to attempt to identify and block any
suspicious activity that might occur on Myspace accounts.We have also reported the incident to law enforcement authorities and are
cooperating to investigate and pursue this criminal act. As part of the
major site re-launch in the summer of 2013, Myspace took significant steps
to strengthen account security. The compromised data is related to the
period before those measures were implemented. We are currently utilizing
advanced protocols including double salted hashes (random data that is used
as an additional input to a one-way function that “hashes” a password or
passphrase) to store passwords. Myspace has taken additional security steps
in light of the recent report.What You Can Do
We have several dedicated teams working diligently to ensure that the
information our members entrust to Myspace remains secure. Importantly, if
you use passwords that are the same or similar to your Myspace password on
other online services, we recommend you set new passwords on those accounts
immediately.For More Information
If you have any questions, please feel free to contact our Data Security &
Protection team at [email protected] or visit our blog at
https://myspace.com/pages/blog.
Second, from Let’s Encrypt:
To Our Subscribers:
Last week, we wrote to inform you of an update to our subscriber agreement.
Unfortunately, there was a bug in our systems that inadvertently prepended
subscriber email addresses to the body of the email. You are receiving this
email because your address was one of those that was disclosed to a subset
of other Let’s Encrypt subscribers. It is unacceptable that this happened
to you, our users and allies in creating a more secure and
privacy-respecting Web.Transparency is one of our core principles and that principle is
particularly important when we make mistakes. You deserve to know what
happened and what we’re doing to make sure it doesn’t happen again. That’s
why we created a public incident report within 90 minutes of first learning
about the problem and why we’ve posted a final report and improvement plan:https://community.letsencrypt.org/t/email-address-disclosures-june-11-2016/
We are sorry for this error. We didn’t live up to your expectations and the
standards we set for ourselves. Please be assured that we’ve taken steps to
make sure this doesn’t happen again.—
Josh Aas
Executive Director
Internet Security Research Group
Let’s Encrypt: A Free, Automated, and Open CA