You may not remember your Myspace account—the early aughts were a while ago—but it remembers you. So does your LinkedIn account, even though you haven’t logged into it since you were desperately casting about for a job after college. Those retail-website accounts that promised 15 percent discounts? They haven’t forgotten, either.
The internet is in a constant state of flux. Websites come and go, logos are redesigned, and advertisers find new ways to track people. Even the pages that appear most set in stone—like, say, a Pulitzer-finalist series of investigative journalism—may one day disappear. “Link rot” has riddled blogs, news websites, and even the Supreme Court with dead links.
Despite this online transience, one type of data does have a deceptively long lifespan. User information—usernames, passwords, profiles, and related personal data—can endure for years, in part because it’s commercially valuable for companies to hang onto it.
And those details can survive even long after a website changes ownership or goes dark. That means that a social-network or shopping-website account you created as long as a decade ago can still come back to haunt you.
This week, Myspace confirmed that a hacker stole a chunk of accounts in June 2013, and that those accounts are now being sold on a deep-web forum. According to LeakedSource, a website that obtained the leaked user info, more than 360 million accounts were compromised.
The social-networking site fell from grace in the late 2000s, cannibalized in short order by Facebook. The contents of the data dump are a time capsule: Popular passwords in the database include “jordan23,” “blink182,” and “50cent.” Nearly half of the associated email addresses are Yahoo accounts, and Hotmail and AOL are close runners-up.
It may sound comforting to know that all of the affected user accounts are at least three years old—many are likely much older—but old data can continue to be relevant for a long time. Three in five internet users reuse passwords for their online accounts, according to a survey that LastPass, a password manager, conducted last year. (That’s the same proportion that a communications-agency survey turned up eight years ago.) Perhaps a Myspace user opened an online-banking account with the same email address and password in the 2000s, and hasn’t changed it since. That account, and any other that piggybacked on Myspace credentials, is now vulnerable.
It’s a sad irony that the information that can cause the most harm if released—user information—has a far longer lifespan than the internet’s most precious treasures. The best writing, videos, music, and websites of years past may fade as platforms come and go and filetypes are no longer supported. But user data remains one of the most valuable assets that a company can own, and so it may keep popping up in inconvenient places long after it should.
Take, for example, LinkedIn, which was hacked in 2012. At the time, about 6.5 million passwords were leaked—about 3 percent of its total user base. But last month, another 117 million email-password combinations from the same hack cropped up for sale on the dark web, bringing the proportion to two-thirds.
The internet’s interminable memory for personal information is one of dozens of reasons to take the time to set up a password manager. Setting a different password for every account compartmentalizes sensitive information, keeping other accounts insulated in the event of a hack—even if the stolen data is made public years after a breach.