This isn't great: Anyone could get into your Myspace with just your name and birthday

They didn't even need a password.
Author:
Publish date:
Image placeholder title

The last time you logged into your Myspace account was what, 10 years ago? Minimum?

Well fortunately Myspace had an incredibly easy way to regain access to your account. All you needed was your name and birthdate and boom, you were in and could reset your password to a less embarrassing alternative.

Unfortunately it turns out that's all anybody needed to access your old Myspace.

A cybersecurity researcher named Leigh-Anne Galloway brought this to the world's attention Monday. In a blog post, Galloway explained she was trying to gain access to an old Myspace account so she could delete it.

This was back in April. And at the time, she stumbled across this glaring security oversight.

When trying to recover her account, she had to fill out this form:

 Credit: Wayback Machine

Credit: Wayback Machine

But after some poking around and testing, she discovered Myspace didn't do an email verification. Sure it's marked as a "required" field, but you could put in any nonsense email and the account recovery security wouldn't actually check if it matched.

So all you needed was the full name on the account, as well as the public username. And then a birthday, which isn't that hard to find if you really wanted to.

"It seems Myspace wants us all to take security into our own hands," Galloway wrote. "If there is a possibility that you still have account on Myspace, I recommend you delete your account immediately."

She told Myspace and heard nothing

Galloway said she sent Myspace an email detailing this vulnerability back in April when she found it. She got an automated response ... and then nothing else.

So after three months she decided to publicize the gaping security hole while it still existed.

Since Galloway's blog post went live, it's been picked up by WIRED, The Verge, Engadget and others. And Myspace has since made some changes.

For example, that account recovery option is disabled. I tried to access the URL, but it doesn't open anymore and redirects to a different page. Gizmodo noticed this too. You can still see it on the Wayback Machine though.

Myspace also responded, telling Engadget they "enhanced [their] process by adding an additional verification step to avoid improper access." Myspace also said they take data security "very seriously," and will make their process better over time.

Myspace's dubious security history

That might carry some more weight if they hadn't given a similar response in 2016, when they revealed user login data from accounts had been stolen in 2013. And not a few accounts – 360 million users' info was stolen.

Myspace, in acknowledging the breach, said it had "several dedicated teams working diligently" to make sure user data was safe, and said they'd be taking "additional security steps" in light of the report.

And then this happened so ¯\_(ツ)_/¯.

As Galloway noted, maybe a lot of people don't use Myspace anymore (though in 2015, the site said 50 million people a month logged in.)

"So why does this matter?" she continued. "Myspace is an example of the kind of sloppy security many sites suffer from, poor implementation of controls, lack of user input validation, and zero accountability. Whilst Myspace is no longer the number one social media site, they have a duty of care to users past and present."

She also walks through how to delete your Myspace account, FYI.

Next Up

Related