A 2021 breach of the nostalgic Myspace93 site has resurfaced, revealing over 46,000 usernames, passwords, email addresses and IPs in clear text. The leak, traced to trusted members of a Discord community, raises serious GDPR and CCPA compliance questions and highlights the need for users to stop reusing passwords and enable two‑factor authentication.
46,000 Plaintext Passwords Exposed in Myspace93 Breach – Users Urged to Guard Their Accounts
Myspace93’s homepage, a parody of the original social network
In May 2026 the breach‑tracking service Have I Been Pwned added a new data set that dates back to a January 2021 attack on Myspace93, a fan‑run recreation of the early‑2000s social platform. The dump contains plain‑text usernames, passwords, email addresses and IP addresses for more than 46,000 registered users. Unlike most modern breaches, the credentials were stored unencrypted, meaning anyone who obtained the file can log in to the original accounts without any additional cracking.
What happened?
The site’s co‑creator, known only as Janken (real name undisclosed), posted a July 4, 2021 note explaining that the breach originated from a beta application shared with a small group of “trusted members” of the Windows93 Discord channel. Those members allegedly:
- Downloaded the entire server using a custom tool they distributed in the chat.
- Accessed an unencrypted credential store that held every user’s login data.
- Publicly bragged about the haul before a community member exposed the theft a week later.
Janken describes the incident as a betrayal of trust and admits that the site’s security practices at the time were naïve, relying on a single plain‑text file rather than industry‑standard hashing and salting.
Legal basis – GDPR, CCPA and other obligations
European Union – GDPR
- Article 5(1)(f) requires personal data to be processed in a manner that ensures appropriate security, including protection against accidental loss or unauthorized access. Storing passwords in clear text is a clear violation of this principle.
- Article 32 obliges controllers to implement a level of security appropriate to the risk, which for authentication data means using strong cryptographic hashing (e.g., Argon2, bcrypt) with a unique salt per password.
- Article 33 mandates that a data‑controller notify the supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of individuals. The breach was disclosed publicly only in 2021, well beyond the required window, exposing the operator to potential administrative fines.
- Article 34 requires communication to affected data subjects without undue delay when the breach is likely to result in a high risk. Users were not directly informed; the only public notice came years later via a blog post.
United States – CCPA (California Consumer Privacy Act)
- Section 1798.150(a) obliges a business to implement reasonable security procedures. Storing passwords in plain text does not meet the “reasonable” standard.
- Section 1798.150(b) requires notification to California residents “in the most expedient time possible” and without unreasonable delay. The delayed public disclosure could be deemed non‑compliant.
- Section 1798.150(d) allows the California Attorney General to seek civil penalties of up to $7,500 per intentional violation. While Myspace93 is a niche site, the sheer number of affected California users could drive a sizable penalty if enforcement is pursued.
Other jurisdictions
- Canada’s PIPEDA, Australia’s Privacy Act, and Brazil’s LGPD all contain similar security‑by‑design requirements. The breach could trigger cross‑border investigations, especially because the site’s servers were hosted in the United States but attracted a global user base.
Impact on users and the site’s operators
For users
- Credential reuse: Many of the exposed passwords are likely reused on mainstream services (email, banking, social media). Attackers can now try them in credential‑stuffing attacks, dramatically increasing the risk of account takeover.
- Personal data exposure: Email addresses and IP logs give attackers a foothold for phishing campaigns tailored to the victim’s known interests (e.g., nostalgia for early‑Internet culture).
- Loss of trust: Even though Myspace93 is a hobbyist project, the breach undermines confidence in any community‑run platform that handles personal data.
For the operators
- Regulatory exposure: If the site is deemed a data controller under GDPR, the European Data Protection Board could impose fines up to €20 million or 4 % of global annual turnover, whichever is higher. While the site’s turnover is negligible, the proportional fine could still be significant for a small operation.
- Potential civil suits: Affected users in the EU or California could bring class‑action suits for negligence, seeking damages for emotional distress and costs associated with resetting passwords.
- Reputational damage: The public admission of “trusted members” stealing data may deter future contributors and volunteers, hampering the project’s ability to maintain the site.
What changes are needed?
Immediate steps for users
- Never reuse passwords – treat the Myspace93 credentials as compromised and change them on every other service where the same password appears.
- Enable two‑factor authentication (2FA) wherever possible, especially on email accounts linked to the exposed addresses.
- Monitor for phishing – be wary of unsolicited messages referencing Myspace93 or nostalgic “Windows93” themes.
Recommended actions for the operators
| Action | Why it matters |
|---|---|
| Migrate to salted password hashing (e.g., Argon2id) | Prevents future exposure of usable passwords even if the database is stolen. |
| Encrypt all stored personal data at rest (AES‑256 GCM) | Meets GDPR Article 32’s “state‑of‑the‑art” security requirement. |
| Implement a formal breach‑response plan with 72‑hour notification windows | Aligns with GDPR Articles 33‑34 and CCPA Section 1798.150. |
| Conduct a third‑party security audit | Provides independent verification that the new controls are effective. |
| Publish a transparent post‑mortem detailing what went wrong and what has been fixed | Restores community trust and demonstrates accountability under privacy laws. |
Longer‑term governance
- Data minimisation – Only collect information essential for the service (e.g., a username and optional email). Remove unnecessary fields such as IP logs after a reasonable retention period.
- Access controls – Limit privileged access to the credential store to a single admin account protected by hardware‑based MFA.
- Regular penetration testing – Schedule at least annual external testing to discover misconfigurations before attackers do.
The broader lesson
The Myspace93 incident shows that nostalgia projects are not exempt from modern data‑protection obligations. Even a small community‑run site must treat user credentials as high‑value assets. Storing passwords in plain text is a practice that should have been retired years ago; its continued use invites not only technical exploitation but also significant legal liability.
For users, the breach is a reminder to treat every password as unique and to adopt password‑manager tools that generate truly random secrets. For operators, it is a call to embed privacy‑by‑design into the DNA of any service, no matter how whimsical the front‑end may appear.
If you discover that your credentials were part of this dump, change them immediately and consider enabling 2FA on all linked accounts. For more guidance on securing your online identity, see the Electronic Frontier Foundation’s password advice.
Comments
Please log in or register to join the discussion