MySpace, once the world’s largest social network, suffered a breach (believed to have occurred around 2008) that was not publicly revealed until May 2016 when approximately 360 million email address and password combinations appeared for sale on dark web markets. The specific breach vector was never publicly disclosed by MySpace. The passwords had been stored as unsalted SHA-1 hashes of only the first 10 characters of each password in lowercase — an extraordinarily weak hashing scheme that made virtually all passwords trivially crackable. The 8-year delay between breach and disclosure meant hundreds of millions of users’ credentials had been available to attackers for years without their knowledge. By 2016, MySpace had declined from its peak of 100 million monthly users to a much smaller platform, limiting the immediate impact. However, the old credentials remained valuable for credential stuffing attacks on other sites where users had reused their MySpace passwords.