Myspace on Tuesday confirmed reports that it suffered a major data breach in 2013 and that the stolen information is now up for sale online.
"Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum," the site wrote in a blog post. The breach occurred on June 11, 2013, and affects a portion of accounts created on the old Myspace platform.
Myspace did not reveal how many accounts were affected, but LeakedSource, a search engine for leaked records, which claims to have obtained a copy of the stolen information, said the data set includes 360,213,024 records. Each record may contain an email address, username, one password, and in some cases a second password; no financial information was involved.
Even if you haven't used Myspace in years, you may still be affected – especially if you tend to reuse the same passwords between sites.
"If you use passwords that are the same or similar to your Myspace password on other online services, we recommend you set new passwords on those accounts immediately," Myspace wrote.
According to LeakedSource, the stolen passwords were stored in SHA1 with no "salting," a process that makes them much harder to decrypt. "The methods Myspace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it's not encryption," LeakedSource wrote.
Myspace said it has invalidated all affected passwords; if your account was involved, you'll be prompted to reset your password the next time you sign in. The site said it has taken "significant steps" to strengthen account security since the breach and now uses double salted hashes to store passwords.
"This is an ongoing investigation, and we will share more information as it becomes available," Myspace wrote.