Account Recovery Flaw Leaves Myspace Data Open To Hackers

A security researcher has revealed that anyone’s old Myspace account can be easily accessed just by knowing a few basic pieces of personal information.

Myspace became one of most popular social network sites following its creation in 2003, but was rapidly overtaken by Facebook and others.

At its peak it attracted around 75 million active users a month and these users have now been warned that their accounts are at risk of being hacked.

Open door

According to Leigh-Anne Galloway, a security researcher at Positive Technologies, the account recovery mechanism that Myspace provides for users who no longer have access to their old email addresses can be quite easily tricked into letting anyone in.

All hackers need to know the target user’s full name, username and date of birth, all information that is often freely available from other social networks.

Speaking to Motherboard, Galloway said: “Companies have a duty of care to users past and present. Myspace is an enormous graveyard of personal data. If you have an end of life application or website, you have to have a plan.”

She added that she was “horrified” at Myspace’s “complete lack of due diligence” when it comes to the privacy of their former users.

Motherboard confirmed the Galloway’s claims, testing the flaw on two accounts and finding that it was able to “write new posts, read old messages, and basically do whatever the account owner’s could do”.

Speaking to Silicon, a spokeswoman said: “In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access. We take data security very seriously at Myspace. We plan to continue to refine and improve this process over time.”

The news comes after 360 million MySpace accounts were stolen and leaked online last year, many of which contained username and password information.

Are you a security pro? Try our quiz!