If you are one of the almost half a billion people who at some point used to be on Myspace, the hottest social network of the early 2000s, you should know that almost anyone can hack into your account.
Myspace offers a mechanism to recover an account for people who have lost access to their old associated email address. A security researcher has discovered that it's relatively easy to abuse this mechanism to hack into anyone's account. All a wannabe hacker needs is the target's full name, username, and date of birth.
Security researcher Leigh-Anne Galloway disclosed the vulnerability on Monday. She says she informed Myspace about the vulnerability almost three months ago and the site hasn't acknowledged or fixed it. (Myspace did not respond to a request for comment.)
Obviously, we're not in 2006 anymore, and very few people still use or care about their Myspace accounts. But Myspace, which last year had to admit that it lost the passwords of more than 400 million users, should still take care of its users' security, according to Galloway.
"Companies have a duty of care to users past and present. Myspace is an enormous graveyard of personal data. If you have an end of life application or website, you have to have a plan," Galloway, a researcher at Positive Technologies, a security firm, told Motherboard in a Twitter chat.
Galloway said that when she found out about the flaw she was "horrified" and "shocked" by "the complete lack of due diligence" on Myspace's part.
Motherboard verified that, indeed, all one needs to take over somebody else's Myspace account is full name, username, and date of birth. Once we finished the recovery process we had full access to the two accounts: we could write new posts, read old messages, and basically do whatever the account owner's could do. (Thanks again to the two brave volunteers who let us break into their old accounts.)
Scott Helme, a security researcher who acted as one of the guinea pigs to test the flaw, said that Myspace's account recovery feature is "insane."
"Even if everything worked and they did require the correct email address, it's still public information, my email address isn't a secret!" he said in an online chat. "I'm shocked they haven't fixed this."
If you don't want strangers taking control of your old Myspace account and going through your embarrassing high school pictures, you can recover control of it here and follow this procedure to delete the account.
UPDATE, July 18, 11:39 AM EDT: hours after Galloway disclosed this flaw, MySpace shut down the page where people could recover access to their accounts, or hack someone else's. The original URL now redirects to a different page. And if people want to recover old accounts, without the associated email address, have to fill out a different form.
Also, Myspace Told Wired in a statement: "In response to some recent concerns raised regarding Myspace user account reactivation, we have enhanced our process by adding an additional verification step to avoid improper access. We take data security very seriously at Myspace. We plan to continue to refine and improve this process over time."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.