It’s alarmingly simple. And you can blame MySpace for most of it.
Over the past month, the Twitter accounts of everyone from Mark Zuckerberg to Drake to deceased Beatle George Harrison have been hacked.
Some of those accounts, one of the most prolific hackers tells The Daily Beast, were taken over by an alarmingly simple method that could work on anyone—and not just celebrities—who has had a Myspace or LinkedIn account at any point.
J5Z, a hacker who gained access to the accounts of Harrison along with over a dozen other celebrities, including Rolling Stones guitarist Keith Richards and Justin Bieber producer Dan Kanter, said his method requires nothing more than access to one website and 76 cents.
That website is LeakedSource.com, which compiles the databases for publicly available hacks of usernames, passwords, and email addresses from every major website security breach over the last few years. The site includes results from 360 million Myspace accounts leaked in May and 117 million LinkedIn accounts that were breached in 2012.
This makes hackers’ jobs easy: J5Z only needs a single piece of identifying information—say, an email address or a similar username from an old site that’s previously been hacked, like Myspace. For a musician like Bon Iver, whom J5Z hacked, he’ll check his old Myspace username. For a businessman, a hacker might use an old email for his LinkedIn account.
The hacker will then run that username through LeakedSource.com and pay the website 76 cents for full results. In return, he’ll receive an email address (which can be run through the database again for even more information) and password.
“I search their Myspace username in LeakedSource, and their info comes up,” J5Z told The Daily Beast. “Email, password, username.”
Then, he’ll try that same email address and password to log in to Twitter. If those celebrities used the same password to sign up for all their social media accounts and haven’t changed them in a while, then J5Z has found his way in.
It’s a method that was outlined in a May 31 Wired article headlined “Your Old Myspace Account Just Came Back to Haunt You,” and it can be leave anyone who repeats a password—celebrity or civilian—vulnerable to a hack from any account.
J5Z, who left messages for the celebrities he hacked saying he wasn’t “trying to cause any harm” and that he could “help you secure your accounts,” implores anyone who has had an account on any of the websites in LeakedSource’s database to change their passwords at every site they may have repeated it. LeakedSource has the databases of usernames, emails, and passwords from Myspace, LinkedIn, Tumblr, Gawker, VK.com, Badoo.com, iMesh.com, a large swath of Twitter users, and other sites.
Other hackers have stated that J5Z’s LeakedSource method is the preferred strategy of OurMine, the collective that hacked Mark Zuckerberg’s Twitter account. (His Twitter password was famously revealed to be “dadada.”)
One hacker, who reached out to The Daily Beast from a verified account of a band he had taken over, insisted that he had used a different method. OurMine, he said, doesn’t “do anything except use LeakedSource.com.” He referred to the collective as harmless. J5Z said he has no affiliation with OurMine but that he’d heard they are “scared of the feds.”
When reached by The Daily Beast, LeakedSource referred to itself as “only scavengers and researchers” and made it clear “we are not hackers.”
“The information we publish is already out there,” said a LeakedSource representative, who declined to give a name. “People have it and most likely are abusing it. We are simply bringing it to the public to better protect those who have been compromised in these breaches.”
LeakedSource says it is helmed by a group of people who “all have tech backgrounds” and “noticed large amounts of ‘hacks’ around password reuse and figured if we could collect all of this leaked data, we could give better awareness and give your everyday internet user an additional layer of security.”
The representative said the site is aware of users who have used the service to break into accounts and that “we don’t allow or condone misuse and abuse of our service.”
“We have banned multiple abusers. With OurMine, for example, we took it a step further and reported [those users] to their local government,” said the representative.
The representative refused to give a primary location for the collective but said it is made up of fewer than 20 people, whose main goal is “awareness and change.”
Despite the high-profile, low-effort hacks by lone wolf civilians that were aided by LeakedSource, the representative insisted the site is doing users a service.
“Hiding it only does more damage when you have multiple communities who flourish on spreading this information and abusing it,” said the rep. “It takes one site to have bad security and ruin it for others.”