This isn't great: Anyone could get into your Myspace with just your name and birthday

They didn't even need a password.

The last time you logged into your Myspace account was what, 10 years ago? Minimum?

Well fortunately Myspace had an incredibly easy way to regain access to your account. All you needed was your name and birthdate and boom, you were in and could reset your password to a less embarrassing alternative.

Unfortunately it turns out that's all anybody needed to access your old Myspace.

A cybersecurity researcher named Leigh-Anne Galloway brought this to the world's attention Monday. In a blog post, Galloway explained she was trying to gain access to an old Myspace account so she could delete it.

This was back in April. And at the time, she stumbled across this glaring security oversight.

When trying to recover her account, she had to fill out this form:

But after some poking around and testing, she discovered Myspace didn't do an email verification. Sure it's marked as a "required" field, but you could put in any nonsense email and the account recovery security wouldn't actually check if it matched.

So all you needed was the full name on the account, as well as the public username. And then a birthday, which isn't that hard to find if you really wanted to.

"It seems Myspace wants us all to take security into our own hands," Galloway wrote. "If there is a possibility that you still have account on Myspace, I recommend you delete your account immediately."

She told Myspace and heard nothing

Galloway said she sent Myspace an email detailing this vulnerability back in April when she found it. She got an automated response ... and then nothing else.

So after three months she decided to publicize the gaping security hole while it still existed.

Since Galloway's blog post went live, it's been picked up by WIRED, The Verge, Engadget and others. And Myspace has since made some changes.

For example, that account recovery option is disabled. I tried to access the URL, but it doesn't open anymore and redirects to a different page. Gizmodo noticed this too. You can still see it on the Wayback Machine though.

Myspace also responded, telling Engadget they "enhanced [their] process by adding an additional verification step to avoid improper access." Myspace also said they take data security "very seriously," and will make their process better over time.

Myspace's dubious security history

That might carry some more weight if they hadn't given a similar response in 2016, when they revealed user login data from accounts had been stolen in 2013. And not a few accounts – 360 million users' info was stolen.

Myspace, in acknowledging the breach, said it had "several dedicated teams working diligently" to make sure user data was safe, and said they'd be taking "additional security steps" in light of the report.

And then this happened so ¯\_(ツ)_/¯.

As Galloway noted, maybe a lot of people don't use Myspace anymore (though in 2015, the site said 50 million people a month logged in.)

"So why does this matter?" she continued. "Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. Whilst Myspace is no longer the number one social media site, they have a duty of care to users past and present."

She also walks through how to delete your Myspace account, FYI.

Next Up

Screen Shot 2021-10-19 at 8.11.35 PM

Watch: Marcus Foligno starts fight with a superman punch

Foligno was not messing around in the first period.

Union Gospel Mission graffiti side by side - Duluth PD

Vandals target longstanding Duluth soup kitchen, transitional housing site

Union Gospel Mission has been operating in the city since 1922.

i-94 crash st. michael - 2021.10.19

At least 1 dead after 'serious crash' on I-94 in St. Michael

That side of the highway is expected to be closed for at least a few hours.

House for sale

The crazy Twin Cities housing market is showing signs of slowing down

Agents are seeing fewer multiple offers and no inspections are less prevalent.

Ben Simmons

Simmons' reunion with 76ers lasts mere days, chance for Wolves?

Woj says the Sixers remain "steadfast" in their plans for Simmons.

mitchell ottinger

Sub teacher involved in 'sextortion' of more than 10 minors pleads guilty

Some of the minors he knew from the school district where he worked.

flickr ice castles new brighton 2020 - Greg Gjerdingen

The Ice Castles, a winter favorite, are coming back to the Twin Cities

The popular attraction was canceled last winter due to COVID.

joey meatballs

4 new vendors coming to Rosedale's POTLUCK food hall

Three restaurants and a VR company are opening soon.

flickr - Lorie Shaull - Line 3 pipeline Palisade July 2021

Enbridge misses deadline to fix its groundwater blunder

The company had 30 days to stop the leak it caused by not following its submitted plans.

wikimedia commons - the beach boys 2019 - joergens.mi

Beach Boys bringing 2021 holiday tour to Minnesota

The iconic band's "Holiday Harmonies" tour stops at Treasure Island just before the new year.


How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.

Do you know when Uber is tracking your location?

We know apps collect data about us. But how much, and how is it being used?

Anyone can see your personal info on this website and it's creeping people out

Anyone can search your name to find your age, address, family members, etc.

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.

This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.

WikiLeaks leak claims CIA can get past phone encryption, hack into Smart TVs

This leak of more than 8,000 files has not been authenticated – though it appears legitimate.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?