← BACK TO FEED
data breachplaintext passwordsHaveIBeenPwnedcredential securityinsider threat

Myspace93 Breach: 46,000 Plaintext Passwords Finally Surface, Five Years Late

In January 2021, Myspace93 — a parody site mimicking the old social network — suffered a breach in which trusted members of a Discord community exploited beta app access to steal server files, including an unencrypted store containing the plaintext usernames, passwords, email addresses, and IP addresses of over 46,000 users. The site's co-creator, known as jankenpopp, blamed the betrayal on individuals he considered close collaborators, who concealed the theft and shared stolen data and download tools among themselves. The breach has only recently been highlighted after HaveIBeenPwned ingested the data more than five years later, and affected users are advised to change any reused passwords and enable two-factor authentication.

If you ever created an account on Myspace93, the quirky parody web art project, now would be a good time to check your password reuse habits. Data from a 2021 breach has only just been indexed by HaveIBeenPwned, and what it contains is not pretty: plaintext usernames, passwords, email addresses, and IP addresses belonging to over 46,000 registered users.

Storing passwords in plaintext in 2021. Let that sink in.

The breach itself happened in January of that year, but the full dataset has apparently been circulating quietly for half a decade before HIBP finally got around to ingesting it this week. Better late than never, presumably.

Myspace93 is a nostalgia project built on the same bones as Windows93, a browser-based parody of the old Microsoft operating system. Both are passion projects by a developer who goes by jankenpopp, or Janken. They let people poke around a simulated version of something the internet has long since buried.

According to a post Janken wrote in July 2021, the breach didn't come from some sophisticated external attack. It came from people Janken trusted. Specifically, members of the Windows93 Discord community who had been given access to a beta application. Those individuals apparently decided that access was an invitation to download the entire server, including a completely unencrypted file containing credentials for tens of thousands of users.

They didn't flag it. They bragged about it.

"It was only a week later that another honest user alerted me to the fact that these people were bragging about having the Myspace passwords," Janken wrote. It then took two more days to extract a confession from those involved.

The group had also built and shared a dedicated download tool, along with step-by-step instructions, and had posted stolen files across multiple platforms. When confronted, they apparently promised to delete everything and keep quiet. Janken believed them, which, in retrospect, was optimistic.

"I really trusted them back in the day and considered them part of my team," Janken wrote. "I blame myself for being so naive."

The site itself still exists if you want a hit of early-2000s internet aesthetics, but account registration and social features have been shut down across all Windows93 offshoots following this episode.

If you had an account, assume the credentials are compromised. Check whether you reused that password anywhere else, change it if so, and turn on two-factor authentication wherever you can. The usual drill, and yes, it still needs saying.