A few weeks back I read this blog entry “Analyzing 20,000 MySpace Passwords” after seeing it on the homepage of Digg. The information presented is neat in that “I’m a nerd so I find this interesting” kinda way, but it didn’t reveal all that much. After being sent the url of a spoof MySpace log-in page, I checked the root and sure enough over 26,000 e-mail addresses and MySpace passwords were sitting there in a text file.
I sent the file over to my buddy Rabbit who aside from being a Sidekick 3 guru can toss together php scripts with ease. I asked him to run similar reports on the info as the other guy had done with his list of 20,000 passwords. After getting that knocked out, he wrote a little data scraping script to get demographic information on the phished accounts via the MySpace search for user by e-mail address function. Whenever you search for someone via e-mail you get some basic info along with a link to their MySpace profile: gender, age, sexual orientation, etc. Search Example
Report Number One - Basic Information
*I’d make graphs, but I’m lazy. :P
“I took this file, stripped out the entries that were missing an email or password, stripped out the email addresses that were completely invalid, and ran some analysis on it.” - Rabbit
Total email / password pairs: 26053
Length of Passwords
# of characters / Count / Percent
1 characters - 3 - 0.01%
2 characters - 2 - 0.01%
3 characters - 5 - 0.02%
4 characters - 153 - 0.59%
5 characters - 250 - 0.96%
6 characters - 4603 - 17.67%
7 characters - 6503 - 24.96%
8 characters - 6004 - 23.05%
9 characters - 4264 - 16.37%
10 characters - 3279 - 12.59%
11 characters - 605 - 2.32%
12 characters - 190 - 0.73%
13 characters - 78 - 0.30%
>13 characters - 114 - 0.44%
Strength of Passwords
*1 point for a lowercase letter, 1 point for an uppercase letter, 1 point for a number, and 1 point for a symbol for up to 4 points.
Strength / Count / Percent
1 - 2432 - 9.33%
2 - 22444 - 86.15%
3 - 1107 - 4.25%
4 - 70 - 0.27%
20 Most Commonly Used Passwords
Password / Instances
password1 - 63
abc123 - 42
iloveyou1 - 19
fuckyou1 - 16
myspace1 - 15
123abc - 14
number1 - 14
password - 13
loser1 - 13
iloveyou! - 13
soccer1 - 13
princess1 - 13
monkey1 - 12
nicole1 - 12
purple1 - 12
qwerty1 - 12
fuckyou - 12
fuckyou2 - 12
iloveyou2 - 12
monkey - 11
Top 10 Email Hosts
*Unique domains found: 1087
Domain / Count / Percent
@yahoo.com - 9466 - 36.33%
@hotmail.com - 5499 - 21.11%
@aol.com - 4219 - 16.19%
@aim.com - 1094 - 4.2%
@msn.com - 744 - 2.86%
@sbcglobal.net - 583 - 2.24%
@comcast.net - 504 - 1.93%
@gmail.com - 480 - 1.84%
@netscape.net - 237 - 0.91%
@myspace.com - 184 -0.71%
My Thoughts
Length of Passwords
So what? If you’re brute forcing a MySpace account, you likely have stalker / mental issues.
Strength of Passwords
Same as above.
Most Commonly Used Passwords
These people aren’t too good at the interweb. I like monkeys though.
Email Hosts
I just listed the top ten here, but this data overall has scumbag value. I’ll explain that after Report #2. The funny thing about this list is that MySpace came in tenth place and they don’t even offer email accounts to their users. This is because MySpace doesn’t require you to confirm your email address when creating an account. So, you can register with any bogus email address including @myspace.com apparently.
Report Number Two - Demographic Information
Total Scrapes: 25995
Gender Distribution
Not Specified - 755 - 2.9%
Female - 16291 - 62.67%
Male - 8949 - 34.43%
Age Distribution
Age Range / Count / Percent
Not Specified - 755 - 2.90%
14-17 - 15679 - 60.01%
18-21 - 5927 - 22.80%
22-30 - 2210 - 8.49%
31-40 - 345 - 1.34%
41-50 - 124 - 0.48%
51-70 - 123 - 0.48%
>70 - 832 - 3.20%
Sexual Orientation Distribution
Orientation / Count / Percent
Not Specified - 1514 - 5.82%
Straight - 21279 - 81.86%
No Answer - 2171 - 8.35%
Bi - 488 - 1.88%
Not Sure - 238 - 0.92%
Gay - 128 - 0.49%
Lesbian - 103 - 0.4%
My Thoughts
Gender Distribution
Boys are officially better than girls at math and the internet. Other than that, this info is pretty worthless.
Age Distribution
These stats tell us a lot and there’s much that can be done by scumbags with this info.
Seeing that it’s mostly kids getting phished tells us a pretty twisted tale. Most of the phished accounts are currently being used to spam via MySpace bulletins, comments, forum posts, etc. The spam being sent from these accounts ranges from BS “Free Ringtone” offers to Adult Dating (NSFW link), webcam, and porn sites. So, this tells us that kids are being spammed from the accounts of other kids with links to adult sites. How screwed up is that? And, it’s actually a good bit more than 60.01% kids in the above report. Lots of kids set their age higher in order to avoid having a forced private profile. And, others do it because… Well, they’re kids. Ages 69, 99, and 100 had pretty decent spikes in the full stats.
Many people use the exact same email address and password on multiple sites, including Paypal and their banking. A semiskilled scumbag could use the age info to narrow the list down to exclude kids who wouldn’t have any accounts worth breaching. If they really wanted to narrow things down, they could zone in on adults with email addresses that are with an actual ISP. I imagine those are more likely to be attached to PayPal and banking accounts than email accounts setup with Yahoo, HotMail, etc.
Sexual Orientation Distribution
ummmm…. Who cares?
Side notes
- Yes, this info could also be used by e-mail spammers for ad targeting.
- The stuff showing up as “Not Specified” is a mix of music, film, and comedy profiles. A few are probably just errors. It was MySpace that was scraped.
- I reported the spoof log-in page to MySpace right after saving the text file from it. They are pretty quick to reply with a ‘thank you’ and have the page removed by whatever host it’s on.
Related Articles
27 brave souls have commented on this post
It’s a little scary that so many of the people that fell for this were so young. Based on profiles and comments, I can’t imagine the amount of personal information that they share in their emails. Makes you really want to push for an “Internet Safety” class to be introduced into our schools.
I agree, but you have to remember that the majority of people on myspace are all young (under 20). I guess most people just don’t know the basics about internet safety.
Actually the majority of people on MySpace are no longer under 20. According to this article 41% of MySpace users are 35-54. Only 30% are under 25 years old.
“41% of MySpace users are 35-54″… ummm… I find that hard to believe. There’s plenty of people on there in that bracket, but the youngters still dominate it.
this is very informative knowledge. this is good work.
how do we like stop people from hackin our accounts if we already tried changin our passwords? cause yeah i got mad hackers
The thing of it is, these fake login pages are going unnoticed. People don’t pay a damn bit of attention. And young kids pay a lot less attention than the older crowd. They don’t even realize that they’re being asked for their email and their password when the link they’ve clicked is supposed to take them to an outside site.
This was interesting.
Nice, similiar results as my post. Even the appended 1s to the passwords, and the idiots posting on your blog asking how to stop hackers. Don’t worry once Google indexes it you’ll get dozens of people asking how to steal passwords next. Anyways nice post ;)
I’ve had no requests for a second login, that I recall. But I am concerned that when I respond to email about “new messages” from myspace the link that appears in the email may direct me to a spoofed login page, collect my email and loging password, and then log me into my myspace account.
Have you heard of that gambit? Is it in fact feasible?
Thanks so much for the article and the video briefing. LOL indeed..
what percentage post blogs while still in their underwear?
Re: Jim
That’s a feasible setup. Not very likely in my opinion though.
Re: Hiro
If pajama pants count, I’d say it’s a fairly high percent. That or I’m a minority. :P
Lol I get them daily, sometimes more than one. Here’s today’s email:
{name removed} wrote:
if i provide u someone’s email address, can u PLEASE provide me her password? i
can not seem to b able to get over her. i do NOT intend to be any nuisance to
her, but just want to read what’s going on in her life.
Thank & Regards,
{name removed}
Website: NA
IP: {IP removed}
{Yeah, I can be nice}
Re: Rub3X
LOL… I’ve been getting stuff like that on MySpace for awhile now.
Dude Lo squared, I’m really really tired of having to tell people on my boards to change their passwords, somone needs to bring the pain on the morons doing this.
Great work!
hate to think what i will do to those who make spy & virus……
you now thy wont like them selves after I’m done evil hehehehe
you now pay back and such
omg im so confused i need help my myspace is done i need to fix it but f***in kant HELP ME PLZ ANYONE WHO KAN
mail me tha password n e-mail plz thnks ill b waitn forever until i get this
My account got phished but I never signed into a false log-in…what I did do was try to comment on a friend’s page whose account had been phished… and someone my account was stolen?
My account was blocked and called “phished” yet I am unable to change
my password, it reports as an invalid, which it isn’t,..
well I have contacted Myspace several tomes now and all
I got back was to change my password, which was in fact
what I was asking them about,..
Anyone with any advice? Or do I start a whole new myspace account?
Thanks!
My account has also been labled as ‘phished’ for the past two days. I keep getting up super early to message and comment Tom. But he seems not to hear the hunreds or maybe millions of us asking for his help. I dont to start a new account because Ive had my account for about three years now. Yes Im younger than 25 but I dont think Im stupid to hand my email and password off to someone else. Well really by what Tom says…all us ‘phished’ users just need a link. Which I cant find anywhere.
Hmm so this was a waste of time then.
Most phished accounts, are people with lame passwords. some of them aren’t even really “phished” though. My mother’s was supposedly “phished” and her password was basically a randomly generated password from the Unix “Adduser” service. I doubled it, and then added randomized characters and numbers. She’s also not dumb enough to click links. Kind of strange. MySpace is full of newbie script kiddies who get their rocks off by phishing for useless information. ;) Stupid kids. *sigh* PS: I’m one of those “kids” you say dominate myspace. Though, I am twenty, I’m still basically a kid. Oh well. Later, people.
IVE BEEN PHISHED ! AND THE VERIFICATION CODE TO CHANGE MY PASSWORD DOESNT APPEAR….. I CANT DO NOTHING …HELP…!
Well I have myspace as a homepage and it always says myspace.com I always look at everything. And now I can’t fix it because the verification code wont show up I checked on several computers. So now I can’t unblock my myspace profile. Please someone help me!
Re John and Kim
Read my latest blog entry about this issue:
MySpace inadvertently flagging accounts as phished
Thanks….I hate all this spam stuff….can’t do anything on myspace anymore…I can’t even create a new account because the captcha code won’t come up
My goodness, myspace has been phished. So I stucked it
for a while. So please help me. I don’t know what is going on?
Speak Your Mind