Follow up on phishing attack on MySpace users
On 15th January 2007, a link to a text file containing 56,000 usernames and passwords collected in the course of a phishing attack on MySpace users was published on the Full Disclosure security mailing list. Whilst the phishers set about misusing the data for their own nefarious ends, security specialists were utilising the list to analyse the quality of passwords. The general complexity of the passwords is increasing in that users use relatively long words and also use numbers -- although of course the best password in the world isn't going to help against a phishing attack.
One week after publication of the list, of which only about 39,000 entries contained valid login data, we asked affected users by e-mail whether MySpace or anyone else had informed them of the incident, what their experience of using the service was and what their position on protection of their data was. 900 responses were received. Only 39 stated that they had been informed of the incident by MySpace, 293 had found out about it as a result of the survey and 319 in other ways. In most cases users noticed the abuse of their data as a result of spam sent to their entire circle of friends. Users and their friends also noticed changed profiles with advertising, in some cases for adult content.
573 apparently noticed that someone else had logged into their account. In 50 cases, the password had even been changed by someone else. 818 changed their passwords themselves after the incident. The phishers were obviously primarily interested in sending advertising, irritating users by changing profiles or just rummaging around in their private data.
However, 216 were worried that the stolen data could in some way be used against them. Very few stated that they had had compromising material in their profiles, as many were aware of the risk. The issue of identity theft was also met, in some cases, with humour - one respondent, for example, answered that his credit rating was so bad that the phishers were welcome to his identity.
An additional risk for users is the popularity of reusing passwords. A number reported that the e-mail account used as their MySpace user name had been misused. In at least two cases, both passwords had been changed. MySpace users, who are mostly young, are considered to be relatively lacking in product loyalty, and quickly switch to other community sites, however this was not confirmed by the survey. Only 7 of the respondents stated that they had deleted their profiles. The same number had created a new profile right after deleting the old one.
MySpace has been known to react to previous security problems extremely rapidly. When the Samy worm appeared, the entire site was shut down and the malicious code removed from profiles automatically. A similar procedure was followed for the QuickTime worm. In this latest incident, MySpace's first reaction took 10 days, when MySpace asked the mailing list administrators to remove the list of user data from the archive. However, there are other archives of the mailing list administered by other organisations where the list is still available. (Christoph Puppe)