Have you heard of the MySpace data breach? If not, it may be too late. Time Inc., the owners of the former social networking giant MySpace.com, has confirmed they have in fact been hacked. And older (pre-2013) MySpace account data is surfacing on the dark web for sale. LeakedSource.com has reported that over 360 million accounts are involved in the MySpace data breach. Account owner names, emails, and weakly hashed passwords were all involved in the data breach and being sold as you read this.
If you are a former or current MySpace user, you may start to wonder about the worst case scenario: your account was involved in the MySpace data breach. I know my first, and probably some other people’s first thought was: what music did I like back in 2008 when I abandoned my MySpace account? What is the dark web going to do with the knowledge that I liked Nickelback or that I am a Chicago Bears fan, or I had numerous pictures posted of my dog Kramer? Your next thought may be: Nothing! that information is useless. You couldn’t be more incorrect. Anyone in the payment fraud and security field is now well aware that social media profile accounts and login credentials far exceed the value of stolen credit card or payment account numbers. Stolen social profile data gives fraudsters an even larger advantage over merchants that they did not need. Here are few ways the data you abandoned 8 years ago that you thought was harmless, may be the reason why your active profiles and payment accounts will be effected in the future.
How can you be victimized by this MySpace data breach?
- Fraudsters with the information from the MySpace data breach are now able to put a face with their accounts. Let’s say your MySpace account was hacked and a fraudster has purchased your full name, email address and the password you last used on MySpace. And like most people you switched from MySpace to Facebook and kept your same email address. The fraudster already has their stolen credit cards (hopefully not yours) and decides to do some eCommerce shopping. They place an order on XYZwatchShop.com and use expedited shipping, it’s more expensive but why not, they’re not paying for it. They use your name (that they got from the breach) and set to ship the order to their preferred shipping address where they can safely pick up the delivery. XYZwatchShop.com has a fraud tool and flags your order for review. The fraud analyst reviews the order and sees that the billing name (again this is your name) matches a valid Facebook account (your Facebook account) and possibly some other social media sites you may belong to. The analyst thinks this order looks good, the name matches this great active social media account and approves the order.You may or may not get an email from XYZ watch shop, you may discard it, it may go to your spam folder, you may even stop and call your credit card companies to make sure there are no purchases on your credit cards. Your credit card companies put you at ease and confirm no charges have been made and you discard the email as a mistake or spam. You have now played your part in the fraud trend of fraudulent social engineering. You may think, so what, I didn’t lose any money, none of my credit cards were impacted. But the fraudster is not done yet.
- Remember Nickelback? Your favorite band back in your MySpace days? Unfortunately your love for the band is not only embarrassing but it could also make you vulnerable to an account takeover. Most websites require you to answer a few validation questions when you forget a password, or in this case when a fraudster is attempting to take over one of your accounts. Having full access to your MySpace account the fraudster now has multiple answers to those common validation questions:What is your favorite sports team?
What was the first concert you attended?
What is the name of your favorite pet?
What city were you born in?The list of information you made available on your social media site is endless and gives fraudsters exactly what they need to answer very simple, common validation questions most websites ask when updating passwords, or changing account information all together.
- Some people use a password similar to a favorite t-shirt. They keep it, they use it everywhere, they go back to it even though they know it’s time for a new one. And like an old t-shirt their favorite password is soft, has holes, is outdated, and needs to be replaced. Let’s say you’ve kept your same ‘go to’ password for a few different sites, your MySpace page, now Facebook, and maybe even your Paypal account. Or perhaps your eBay account, your iTunes, or even your Amazon account. Now the fraudster who has your favorite recycled password and your email address is going on a shopping spree with your accounts that have stored payment data. They can even delete the order confirmation emails in your email account before you have a chance to see them. The fraudster now has full access to your online shopping profile, stored payment accounts, and your email address.
What should possible hacked consumers do?
If you were involved in this MySpace data breach you probably won’t know for sure for a while. It takes time for the sale of your data on the dark web to happen. And even longer for the new owner of your data to begin to test and use it. That doesn’t mean you should wait for something to happen. Change your passwords! Abandon that favorite ‘go to’ password you have been using for years. Change your passwords every few months. Most corporate environments make employees change their email and login passwords every 60 or 90 days. They do this for a reason, and if you follow suit, it may prevent future data breaches from including any of your relevant account information.
What should merchants do to prevent being victimized by this and future breaches?
Be cognizant of the changing landscape of fraud attacks and fraud prevention measures to help fight eCommerce fraud. Social media accounts used to be a great, almost flawless verification tool. If a customer’s email address matches a valid social media account, a merchant would approve the order during a review. Fraudsters know this, that’s why these stolen accounts are so valuable. As the fraudster evolves and changes their understanding of fraud prevention, the merchant must also adapt and react. Know that a social profile match no longer means an automatic valid order. Pay more attention to IP addresses and device fingerprinting. Dig deep in device data. Pay attention to the browser language being used. Does it match the profile of your customer? Why is a 30 year old white male from Utah using a browser in Spanish language with a time zone in Europe? Question the anomalies, don’t believe in coincidences and pay attention to the finer details hidden in device data…and sadly nobody listens to Nickelback anymore.
If you need help navigating the world of eCommerce fraud (or even the MySpace data breach), we’re here to help. Reach out to one of our conversion consultants today to help you fight the battle against fraudsters: