Remember when Myspace suffered one of the largest user data breaches ever? Around 360 million accounts were compromised in June 2013, but Myspace said in 2016 when it disclosed the incident that it was taking action to shore up its security. Which would be great, except that it turns out anyone could have taken over any Myspace account if they had the account owner’s listed name, username, and date of birth. Whoops!
Security researcher Leigh-Anne Galloway notified Myspace about the flaw in April, and published details about it on Monday after failing to receive a substantive response.
The problem stems from Myspace not being, you know, the most widely-used service anymore. As such, it has extensive mechanisms and advice available for recovering accounts when you’ve lost the password, no longer have access to the email address associated with the account, or don’t remember your Myspace username.
Galloway discovered that the Account Recovery form doesn't actually require very much information to validate ownership of an account and take control of it. Since the name and username associated with an account show up on its public profile, Myspace’s account recovery setup was such that you really only needed someone’s date of birth to complete an account takeover. The form claimed that other fields like the account email address were "required," but it wasn't actually validating these fields in practice.
“This is indicative of the landscape we live in,” Galloway says. “Everything is done online, which means there is more and more code online. Web applications are the front door to an organization. The consequences of getting access can be catastrophic.”
Galloway discovered this while attempting to delete her own account. On Monday at 1:42 ET the company redirected its Account Recovery URL so it no longer takes browsers to the vulnerable form. You can still see it here on the Wayback Machine.
Who can say! Myspace has been cagey for years about how many users it still has, and it's unclear how long this account recovery form was live. “I haven't had a response from MySpace,” Galloway says. A lot of Myspace user data got scrubbed in its redesign a few years ago, but the mass exodus away from the service when social networks like Facebook were on the rise definitely left a number of forgotten accounts that are still live in some form and could be exploited.
Myspace's decision on Monday to revoke public access to the page indicated that the company was aware of the situation and investigating. It later said in a somewhat forlorn statement, "In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access. We take data security very seriously at Myspace. We plan to continue to refine and improve this process over time."
Last year some estimates said that Myspace, which was purchased by Time Inc. last year and lives on as a music and entertainment-focused site, was still hanging on to 20 million to 50 million unique views per month. But legacy technologies can still potentially hold valuable data, and Myspace of all services should know this after it disclosed its massive breach in 2016.
"I think the public is just waking up to the realities of living a connected life," Galloway says. "This is a good thing and will put more pressure on organizations to implement smarter security."
This flaw may not be the worst digital threat facing consumers right now, but each small erosion of consumer trust adds up. If you still have a Myspace account kicking around, the time has come to rediscover its existence, and delete it.
This post has been updated to include comment from Myspace.
