Ten years ago, MySpace was one of the hottest sites on the Internet. In the U.S., MySpace was pulling in more than 72 million unique visitors every month. Facebook lagged way behind at just 23 million. Just four years later things had taken a dramatic turn. Facebook more than doubled, nearly reaching 160 million. MySpace traffic had dropped by nearly 50%.
Users had moved on to the next big thing and they left millions of MySpace accounts sitting idle as they spent more and more of their time on Facebook. Fast forward to this year, and all those idle MySpace accounts had become easy targets for hackers.
Leigh-Anne Galloway, the cyber resilience lead at Positive Technologies, noticed signs of trouble back in April. She spotted a serious shortcoming in MySpace’s account recover tool.
Like many sites, MySpace provided a way to recover your account if you no longer used the email address you signed up with. Galloway discovered that MySpace was only asking for a few pieces of information that aren’t all that difficult to find: the username, real name, email address and date of birth. According to Galloway the system also lacked sufficient brute forcing protections. That means a hacker could make repeated attempts to break in with very little difficulty.
You may also remember a major security incident involving MySpace. In 2013, hackers gained access to full account information on around 360 million MySpace users. MySpace invalidated all the passwords, but the rest of that information — which included usernames and email addresses — has been floating around publicly ever since.
As Galloway notes, matching up a date of birth might be tricky, but it’s certainly possible. With so much leaked, hacked and over shared data floating around online, it’s much easier than it should be.
The good news here is that MySpace has now “enhanced [the recovery] process by adding an additional verification step to avoid improper access.” A MySpace spokesperson added that the company “take[s] data security very seriously” and “plan[s] to continue to refine and improve this process over time.”
So what’s the best way to keep an impersonator from trying to hijack your old MySpace account? If you no longer use it, delete it. Not just your MySpace account, either. If you’ve got inactive accounts on other sites like it, delete them, too.