Your Old MySpace Account Was Just Used to Steal Your Identity

The Call That Changes Everything

Sarah got the call on a Tuesday.

"Ma'am, we've detected fraudulent charges on your credit card. Did you purchase $3,200 worth of electronics from Best Buy?"

She didn't.

"Did you recently change your shipping address to Miami?"

She lives in Seattle.

"We'll freeze your card and launch an investigation."

How It Started: A MySpace Account from 2008

The investigation revealed something Sarah never expected:

The hackers got in through her MySpace account.

Not her bank. Not her email. Not a phishing scam.

Her MySpace account from 2008 that she'd completely forgotten about.

Here's what happened:

Step 1: The MySpace Data Breach (2013)

In 2013, MySpace was breached.

360 million accounts were compromised:

• Usernames
• Email addresses
• Passwords (weakly hashed)

The data was sold on the dark web for $2,800.

Sarah had no idea. She hadn't used MySpace since 2010.

Step 2: Password Cracking

Sarah's 2008 password: Sarah2008!

Using the leaked data, hackers ran password cracking tools.

Time to crack: 2.3 seconds.

They now had:

• Her email: sarah.chen.work@gmail.com
• Her password: Sarah2008!
• Her username: sarah_chen08

Step 3: Credential Stuffing

Here's where it gets bad.

Hackers took Sarah's MySpace credentials and tried them on:

• Gmail
• Amazon
• Bank of America
• PayPal
• Netflix
• Facebook
• LinkedIn
• Apple ID

Why? Because 81% of people reuse passwords.

Step 4: The Domino Effect

First hit: Her old Gmail account

The password worked.

Sarah had changed her main Gmail password years ago, but she had an old account (sarah.chen.work@gmail.com) that she'd abandoned in 2015.

Same password. Never updated.

What was in that Gmail:

• Password reset emails (stored)
• Bank statements (from 2012-2015)
• Amazon order history
• Social Security number (from tax docs)
• Old credit card numbers

Step 5: Taking Over Everything

With access to her old Gmail, hackers:

1. Reset her Amazon password

   • Used stored payment method
   • Ordered $3,200 in electronics
   • Changed shipping address to Miami

2. Reset her bank password

   • Transferred $12,000 to external account
   • Bank blocked it (flagged as suspicious)

3. Accessed her LinkedIn

   • Downloaded her professional network
   • Sent phishing emails to her contacts

4. Tried to access PayPal

   • Failed (she had 2FA enabled - saved her)

Total Damage:

• $3,200 in fraudulent purchases
• 40+ hours dealing with banks/police
• Credit frozen for 6 months
• Identity theft report filed
• Contacts compromised (LinkedIn phishing)

All because of a MySpace account she created in 2008 and forgot about.

This Isn't Rare. It's The New Normal.

Sarah's story is playing out thousands of times per day.

The Numbers:

Old account breaches:

• MySpace (2013): 360M accounts
• Adobe (2013): 153M accounts
• Tumblr (2016): 65M accounts
• Dropbox (2012): 68M accounts
• LinkedIn (2012): 117M accounts
• Yahoo (2013-2014): 3 BILLION accounts

All forgotten. All exploited.

Why Old Accounts Are Dangerous

Reason 1: Password Reuse

You created that account in 2008 with password: YourName2008!

You've probably used that password (or a variant) on:

• Your bank (YourName2010!)
• Your email (YourName2015!)
• Your work login (YourName2020!)

Hackers know this. They try variations systematically.

Reason 2: Email Addresses Never Change

Your email from 2008? Still active.

That MySpace account links your old password to your current email.

Reason 3: Forgotten = Unmonitored

When was the last time you checked your old Friendster account?

Your old Tumblr?

Your old DeviantArt?

Never. Because you forgot they exist.

Which means you missed the breach notifications.

Reason 4: Recovery Paths

Old accounts often have recovery options set to:

• Your current email
• Your current phone number
• Security questions you've used elsewhere

Hackers exploit these to cascade into active accounts.

Real Examples From 2024

Case 1: The Adobe Breach

What happened:

• 2013 Adobe breach (153M accounts)
• Data included encrypted passwords
• Encryption was weak (DES)
• Passwords cracked

Victim profile:

• Graphic designer
• Used Adobe in 2011
• Password: Design2011
• Also used: Design2015 (Gmail), Design2020 (bank)

Result:

• Email compromised
• Bank account hacked
• $24,000 stolen

Case 2: The LinkedIn Breach

What happened:

• 2012 LinkedIn breach (117M accounts)
• Passwords stored as unsalted SHA-1 hashes
• Easily cracked

Victim profile:

• Marketing executive
• LinkedIn account from 2010
• Password: Marketing123
• Same password on corporate VPN (until 2018)

Result:

• Corporate VPN compromised
• Ransomware deployed
• Company paid $50K ransom

Case 3: The Yahoo Breach

What happened:

• 2013-2014 Yahoo breach (3 BILLION accounts)
• Names, emails, passwords, security questions leaked

Victim profile:

• Retiree
• Yahoo email from 2005
• Never changed password
• Used for: Banking alerts, Social Security, Medicare

Result:

• Bank account accessed
• Social Security benefits redirected
• $75,000 stolen over 6 months

The Services You've Forgotten

Let me guess what's in your forgotten account graveyard:

Dead Social Networks:

• ✅ MySpace
• ✅ Friendster
• ✅ Bebo
• ✅ Hi5
• ✅ Orkut
• ✅ Google+

Dead/Dying Services:

• ✅ StumbleUpon
• ✅ Delicious
• ✅ Digg
• ✅ FriendFeed
• ✅ Plurk
• ✅ Ning

Old Accounts You Abandoned:

• ✅ Tumblr
• ✅ LiveJournal
• ✅ DeviantArt
• ✅ Photobucket
• ✅ Flickr
• ✅ Picasa

Every single one of these has been breached.

What Hackers Do With Old Account Data

Phase 1: Acquisition

Hackers buy breach databases on dark web forums:

• MySpace: $2,800 (360M accounts)
• LinkedIn: $5,000 (117M accounts)
• Adobe: $150 (153M accounts)

Cheap. Accessible. Legal nowhere, enforced rarely.

Phase 2: Cracking

They run password cracking tools:

Hashcat (GPU-based):

• 100 billion passwords/second
• Cracks weak passwords in seconds
• Cracks strong passwords in days/weeks

John the Ripper (CPU-based):

• 10 billion passwords/second
• Targets common patterns
• Cracks 75% of passwords in < 1 hour

Phase 3: Credential Stuffing

They try your credentials on popular services:

• Gmail
• Amazon
• PayPal
• Netflix
• Dropbox
• Microsoft
• Apple
• Banks

Tools used:

• Sentry MBA
• STORM
• VertexHub
• BlackBullet

Success rate: 0.5-2% (sounds low, but on 360M accounts = 1.8-7.2M successful logins)

Phase 4: Account Takeover

Once in, they:

1. Extract value immediately:

   • Stored payment methods
   • Gift card balances
   • Sellable data

2. Pivot to other accounts:

   • Password reset links
   • Linked accounts
   • Saved credentials

3. Set up persistence:

   • Add recovery emails
   • Change passwords
   • Enable forwarding rules

Phase 5: Monetization

Direct theft:

• Fraudulent purchases
• Wire transfers
• Cryptocurrency theft

Data sale:

• Full account access: $20-200
• Banking credentials: $50-500
• SSN + DOB: $30-100

Ransomware:

• Lock files
• Demand payment
• Threaten exposure

How to Protect Yourself

Step 1: Find Your Forgotten Accounts (10 minutes)

Search your email for:

• "Welcome to"
• "Confirm your account"
• "Password reset"
• "Account created"

Or use GhostSweep to do it automatically.

Step 2: Check for Breaches (5 minutes)

Visit Have I Been Pwned

Enter every email you've ever used:

• Current email
• Old college email
• Work emails (past jobs)
• Temporary emails

What you'll find:

• Which services were breached
• What data was leaked
• When it happened

Step 3: Delete or Secure (Ongoing)

For each account:

If you don't use it: Delete it.

If you can't delete it: Secure it:

• Change password (unique!)
• Enable 2FA
• Remove payment methods
• Update recovery email

Step 4: Use Unique Passwords (Forever)

Never reuse passwords. Ever.

Use a password manager:

• Bitwarden (free, open-source)
• 1Password ($3/month)
• LastPass (free tier)

Generate passwords like:

X8$mK2@pL9#vN4&qR7

Not like:

YourName2024!

Step 5: Enable 2FA Everywhere

Two-factor authentication:

• Even if password is leaked, hackers can't get in
• Use authenticator apps (not SMS)
• Enable on: Email, banking, social media, work

This alone would have saved Sarah.

The Hidden Danger: Dead Services

When Companies Shut Down

What happens to your data when a service dies?

Option 1: Sold to highest bidder

• Your data becomes an asset
• Sold in bankruptcy proceedings
• New owner has no privacy obligations

Example: Gowalla (location check-in app)

• Shut down in 2012
• Sold user database to Facebook
• 600K accounts transferred

Option 2: Left unattended

• Servers abandoned
• Security lapses
• Data leaks over time

Example: PulsePoint (health tracking app)

• Shut down in 2017
• Database left online
• Discovered in 2020 breach
• 120M records exposed

Option 3: "Deleted" (but not really)

• Company claims deletion
• Backups remain
• Acquired in asset sale
• Resurfaces years later

The Timeline Attack

Here's a scary scenario:

2010: You create Adobe account
2013: Adobe breached (you don't know)
2015: You change all passwords (but forget Adobe)
2018: Hackers crack Adobe database
2020: They try your old password on everything
2024: They find your old Gmail with same password
2025: Identity stolen

15 years from account creation to exploitation.

You forgot the account.
The hackers didn't.

What Companies Don't Tell You

Truth 1: They Don't Delete Your Data

When you "deactivate" an account, they:

• Hide it from public view
• Stop sending you emails
• Keep all your data

Actual deletion requires:

• Finding account deletion page (often hidden)
• Confirming multiple times
• Waiting 30-90 days
• Verifying deletion

Truth 2: Breaches Get Discovered Years Later

Yahoo breach:

• Happened: 2013
• Discovered: 2016
• Full scope revealed: 2017

You were exposed for 4 years before knowing.

Truth 3: "Encrypted" Doesn't Mean Safe

Weak encryption:

• MD5 (cracked instantly)
• SHA-1 unsalted (cracked in hours)
• DES (cracked in seconds)

Strong encryption:

• bcrypt with salt
• Argon2
• PBKDF2

Most old services? Weak encryption.

The Bottom Line

Your forgotten accounts are a ticking time bomb.

Every old account is a potential entry point for hackers:

• MySpace from 2008
• Adobe from 2011
• LinkedIn from 2009
• That random forum from 2006

They're all still out there.
They all have your email.
They all have passwords you've reused.

And they're all being actively exploited.

What To Do Today

Action Plan (30 minutes):

10 minutes: Search email for old accounts
5 minutes: Check Have I Been Pwned
10 minutes: Delete top 10 oldest accounts
5 minutes: Enable 2FA on critical accounts

Or:

3 minutes: Run GhostSweep
27 minutes: Delete accounts it finds

Sarah's Update

Remember Sarah from the beginning?

After the identity theft, she:

1. Found 217 forgotten accounts
2. Deleted 189 of them
3. Secured the remaining 28
4. Enabled 2FA everywhere
5. Switched to a password manager

No incidents in 2 years.

Cost of prevention: 3 hours
Cost of identity theft: $3,200 + 40 hours + stress

Your Forgotten Accounts Are Out There

Right now, somewhere:

• A database with your old password is being sold
• A hacker is trying that password on your current accounts
• An old service you forgot about just got breached

You can ignore this.

Or you can spend 30 minutes cleaning it up.

Your choice.

Find Your Forgotten Accounts →

Based on real identity theft cases and breach data from 2024. Names changed for privacy.