Full Report
Leakage blamed on treacherous friends exposed unencrypted credentials, email addresses
Analysis Summary
# Incident Report: Myspace93 Plaintext Credential Leak
## Executive Summary
In January 2021, the parody social media site Myspace93 (a Windows93 project offshoot) suffered a major data breach resulting in the exposure of over 46,000 user credentials. The breach was attributed to "trusted members" of the community who leveraged access to a beta application to exfiltrate unencrypted server files. The full scope of the leak, including plaintext passwords, was only widely publicized years later when the data was ingested by breach aggregation services.
## Incident Details
- **Discovery Date:** July 2021 (Internal) / May 2026 (Public Aggregation)
- **Incident Date:** January 2021
- **Affected Organization:** Myspace93 / Windows93 Project
- **Sector:** Entertainment / Web Art / Social Media (Parody)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** January 2021
- **Vector:** Insider Threat / Abuse of Beta Access
- **Details:** The site co-creator (Janken) shared a beta application (referred to as ".smash") with a group of "trusted members" in the Windows93 channel. These individuals used this privileged access to compromise server files.
### Lateral Movement
- **Details:** Attackers moved from the beta application environment to the broader server file system, identifying and accessing the database containing MySpace user credentials.
### Data Exfiltration/Impact
- **Details:** The attackers created a custom program to download the entire server's contents, including source files for Windows93 and a database file containing unencrypted credentials for over 45,000 users.
### Detection & Response
- **Detection:** One week after the incident, an "honest user" alerted the co-creator that the group was bragging about the theft.
- **Response:** The co-creator confronted the individuals, who initially denied the act but eventually confessed. The .smash app was removed, and the group promised to delete the stolen data (a promise later proven false).
## Attack Methodology
- **Initial Access:** Trusted Insider / Shared Beta Access.
- **Persistence:** Not explicitly reported (the attackers were "trusted members" with ongoing community access).
- **Privilege Escalation:** Exploitation of beta application permissions to access server-side files.
- **Defense Evasion:** Social engineering (maintaining a "helpful" facade within the dev team).
- **Credential Access:** Access to an unencrypted credential store (plaintext file).
- **Discovery:** Server file system enumeration.
- **Collection:** Programmatic automated downloading of server files.
- **Exfiltration:** Direct download of source code and user databases.
- **Impact:** Exposure of 46,000+ plaintext usernames, passwords, email addresses, and IP addresses.
## Impact Assessment
- **Financial:** Minimal direct financial impact reported; project is non-commercial/art-based.
- **Data Breach:** High. 46,445+ sets of plaintext passwords, emails, and IP addresses.
- **Operational:** All social networking features of the project were permanently shuttered.
- **Reputational:** Damage to community trust and the "Windows93" brand; co-creator admitted naivety.
## Indicators of Compromise
- **Network Indicators:** N/A (Internal betrayal).
- **File Indicators:** `.smash` application (misused/vulnerable beta tool).
- **Behavioral Indicators:** Users bragging in private chats/channels about possessing server source code ("Myspace .smash").
## Response Actions
- **Containment:** Removal of the vulnerable `.smash` application from the server.
- **Eradication:** Confronted the threat actors and obtained a verbal/written promise of data deletion (Ineffective).
- **Recovery:** Shutdown of all social network-related services across the site to prevent further risk.
## Lessons Learned
- **Key Takeaways:** Even in hobbyist/art projects, storing passwords in plaintext is a critical failure. "Trust" is not a security control.
- **What could have been done better:** Credentials should have been hashed and salted from the project's inception. Access to beta tools should have been sandboxed and restricted from reaching production databases/sensitive files.
## Recommendations
- **Password Security:** Always use strong, modern hashing algorithms (e.g., Argon2 or bcrypt) for password storage.
- **Principle of Least Privilege:** Beta testers and community contributors should never have access paths to the full server file system or user databases.
- **Incident Verification:** Never assume attackers have deleted stolen data based on "honor"; always assume data is compromised and inform the user base immediately (the 2021 warning was issued, but users may not have realized passwords were plaintext until the 2026 aggregation).
- **Password Hygiene:** Affected users must change passwords on any other services where they reused their Myspace93 credentials.