MySpace security hijack: How your old account can haunt you

Chris Burns - Jul 17, 2017
0
MySpace security hijack: How your old account can haunt you

MySpace accounts can be hijacked with only three pieces of easy-to-attain information. Once the attacker has the URL for the account they want to break into, they need only head to the Account Recovery page. While this would normally be a place where some sort of human user would verify information – or at least an email would be necessary – this situation requires nothing of the sort. It’s incredibly easy to break into any MySpace account right this minute.

OF NOTE: Neither I nor SlashGear recommend anyone use this information to gain access to a MySpace account that they did not create. The information in this article is being presented so that users – former users of MySpace – can, as quick as possible, delete their old account or accounts.

ICYMI: MySpace set to relaunch in late 2012!

The information required to gain access to an account of any person’s choosing was as follows:
1. Full Name used to sign up for MySpace.
2. Username – that’s in the URL.
3. Birth Date.

That’s it – the email section of the form didn’t actually do anything, regardless of the tiny star next to the space on the form. This form has been up for a while – basically forever, in Internet years.

This vulnerability was discovered this week by one Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies. As of publish time for this article, it would appear that MySpace has replaced the original Account Recovery Tool with a slightly more secure form. This new form sends an email to a real human being.

This is not the first time MySpace has been less than careful with account information. You need only look back to the year 2016 to see the last time MySpace lost your password. While the vast number of MySpace users that ever used the service are no longer active, thousands – if not millions – contain information that could be useful to a malicious 3rd-party.

TO DELETE YOUR ACCOUNT – assuming you can gain access at this point – you’ll want to log in, first. Then head to Account Settings, Delete Account, Delete Account (the button), then confirm the Delete Account through an email. If you no longer have access to the email in question, change this email to your most recent email through the same Account Settings page. Easy as pie, say goodbye to the past which continues to haunt us all.


Must Read Bits & Bytes