Lurking in the annuls of internet history, MySpace was arguably the first big social networking site. It boasted millions of active users and made a significant cultural impact. While some used it as a way of finding a following and a career (including Lily Allen, Calvin Harris, and Adele), most were content with choosing a fun background wallpaper and making an interesting bio.
MySpace has largely been forgotten — that is, it’s not front and center in the public consciousness. It’s been superseded by Facebook and Twitter. And yes, it’s still running.
Worse, MySpace hasn’t forgotten you. And it might be leaking all your private information.
What’s Coming Back to Haunt You?
Security checks on major sites nowadays are generally pretty tight. You can rely on them to have proper precautions to keep your password secure and all your personal data private. That’s how it should be.
To gain access to your old MySpace and take control, all a hacker has needed since the site’s heyday is your name, username, and date of birth. They don’t need any sort of password or even validation via an email address.
This security flaw came via its “Account Recovery” page. A lot more thought should be put into it: the company’s gone through a rebrand that it hopes will draw old users back, so recovering an account is essential.
You’d think once a request is made, it would at least email some sort of verification to the associated address before allowing access. Instead, all it needs is readily-available information.
A name is so simple to find out, as is your username — actually in the profile URL, although you’ve probably forgotten it by now yourself! Meanwhile your date of birth might be available through various leaks (which we’ll come back to) or Facebook. The latter mostly depends on what details you’ve surrendered to the social network, and your privacy settings.
What’s the Harm?
What’s worse, MySpace has known about this for a few months, and has done nothing about it. Until it got some bad press from major media outlets. Now, the URL redirects to a login page. It’s in no way ideal.
And that in itself is noteworthy.
I'm "learned HTML just so I could customize my MySpace page" years old.
— Hot Little Mongoose (@HLMongoose) July 20, 2017
We’ve got Leigh-Anne Galloway from Positive Technologies to thank for exposing this vulnerability. She first found the issue in April, and accordingly alerted MySpace. She received an automated email in response… and that’s it. Three months on, she decided the world should know, and MySpace was forced to actually do something.
You might wonder what the fuss is all about. Surely there’s nothing of interest still on there?
Essentially, a cybercriminal could take complete control of your profile by changing the email address and password MySpace uses. This is identity theft.
And while there’s not vast amounts of information still on there, it’s not to be sniffed at.
How do you feel about a complete stranger having access to photos of you when you were younger? Most likely, when you were a teenager? Creepy, isn’t it? If there’s anything embarrassing on there, how would you feel if it were used against you? Nowadays, celebrities have their old social media accounts scoured by various industries, including the media, so a precedence has been set for using MySpace against people.
Indeed, the site still gets particularly good stats on a Thursday, when old digital photos are resurrected for regurgitation as part of “Throwback Thursdays.”
That’s without mentioning that even your Personally Identifiable Information (PII) — like birthday, email address, and phone numbers — is worth money to scammers.
What’s the Good News?
Yes, there is good news, but even that has a coda to it.
Your MySpace will be virtually unrecognizable to you.
This is due to a rebrand. MySpace reinvented itself into a social site that focuses on music. All profiles lost their personalization, so if you ever wished to remember which embarrassing wallpaper you’d set, you’re out of luck. Various details have vanished, including some of those “Top X” lists of favorite books, TV, films, and songs.
The problem remains, your profile isn’t a clean sheet. Not all personal information has disappeared. Again, we shouldn’t underestimate the worth of personally identifiable information.
Furthermore, a lot of data can be inferred from basic information. Take Facebook as an example: the service knows a lot about you (whether you’re an active member or not), so hackers could get a fair assessment of you from that. Digital Shadow demonstrates what details can be guessed about you based on comparatively little data.
MySpace isn’t even as dead as you thought it was. In November 2015, it was getting 50.6 million unique users in the U.S. alone, and handling more than 465 million email addresses. That’s a lot of data potentially up for grabs.
Wait, Wasn’t MySpace in Trouble Recently?
As if this weren’t bad enough, MySpace is pictured in a particularly bad light after another shocker from 2016. Or 2008, rather.
Sometimes, companies keeping quiet about data breaches can be a good thing. But MySpace suffered a major leak, and we only found out about it at least three years after the hack. The first we knew about it was in 2016, when more than 360 million email addresses and over 427 million passwords, were up for sale, via the social network.
The original hack could’ve occurred anytime between 2008 and 2013.
If you used MySpace, head over to haveibeenpwned.com. This tells you whether your data has been part of a breach. If you can recall the email you used to sign up to MySpace all those years ago, type it in. Shocking, right?
Jeff Bairstow, Time Inc. Executive Vice President and Chief Financial Officer, reassured users:
“We take the security and privacy of customer data and information extremely seriously — especially in an age when malicious hackers are increasingly sophisticated and breaches across all industries have become all too common. Our information security and privacy teams are doing everything we can to support the MySpace team.”
We’ve been told that private information is taken seriously. Yet this latest security flaw has been intact since that hack.
The passwords stolen in the hack were stored with the Secure Hashing Algorithm (SHA)-1 hash. This changes passwords into different digits, but isn’t actually very secure. Salting and slow hashes is a more superior way of protecting your password — it’s not infallible, because nothing ever is, but right now, that’s as good as it gets.
Now, however, it seems that, even if MySpace had implemented stronger password protection, the simple account recovery process would’ve rendered it moot.
What Should You Do?
What does this say about internet security?
MySpace is just the latest example of a big company, albeit one largely forgotten by the masses, not taking adequate care of your information. It’s simply not good enough. Security measures should always be kept updated, no matter a site’s heyday.
What can you do about it? First of all, MySpace has taken down the related page, so right now, you can’t get into the network unless you can remember your login details. Hopefully, the site will tighten up security.
However, it’s not proving trustworthy. It may be unfair on MySpace to advise you to delete your account, but that’s exactly what Leigh-Anne Galloway has done. You can understand why. Certainly, if you don’t intend to migrate back to MySpace, it would be churlish not to delete all your information from there.
Have you deleted your account? Are you concerned about further leaks? Or do you feel it’s pointless to delete what’s already out there, after the number of security compromises?
Image Credit: thelefty via Shutterstock.com