During the social network's heyday, multiple Myspace employees abused an internal company tool to spy on users, in some cases including ex-partners, Motherboard has learned.
Named 'Overlord,' the tool allowed employees to see users' passwords and their messages, according to multiple former employees. While the tool was originally designed to help moderate the platform and allow MySpace to comply with law enforcement requests, multiple sources said the tool was used for illegitimate purposes by employees who accessed Myspace user data without authorization to do so.
"It was basically an entire backdoor to the Myspace platform," one of the former employees said of Overlord. (Motherboard granted five former Myspace employees anonymity to discuss internal Myspace incidents.)
The abuse happened about a decade ago, closer to the height of the platform's popularity, according to multiple sources. In fall 2006, the platform signed up its 100 millionth user. Around this time, Myspace was the second most popular website in the U.S., and ranked higher than Google search.
The existence and abuse of Overlord, which was not previously reported, shows that since the earliest days of social media, sensitive user data and communication has been vulnerable to employees of huge platforms. In some cases, user data has been maliciously accessed, a problem that companies like Facebook and Snapchat have also faced.
Do you know about another data abuse incident? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Overlord was a Myspace administration tool used for gathering information in order to respond to law enforcement requests, according to two of the former employees. Overlord was also used to moderate content on the platform, according to one of the former employees and descriptions of Overlord found in LinkedIn profiles. Those profiles suggested Overlord was used by customer support staff and to enforce copyright takedown requests.
"Every company has it," Hemanshu Nigam, who was Myspace's Chief Security Officer from 2006 to 2010, said in a phone interview referring to such administration tools. "Whether it's for dealing with abuse, or responding to law enforcement or civil requests, or for managing a user's account because they're raising some type of issue with it."
Nigam said he introduced stricter data protection after he joined Myspace.
"It was basically an entire backdoor to the Myspace platform."
Even though social media platforms may need a tool like this for legitimate law enforcement purposes, four former Myspace workers said the company fired employees for abusing Overlord.
"The tool was used to gain access to a boyfriend/girlfriend's login credentials," one of the sources added. A second source wasn't sure if the abuse did target ex-partners, but said they assumed so.
"Myspace, the higher ups, were able to cross reference the specific policy enforcement agent with their friends on their Myspace page to see if they were looking up any of their contacts or ex-boyfriends/girlfriends," that former employee said, explaining how Myspace could identify employees abusing their Overlord access.
Two former employees said Overlord was easy to use. It is unusual today for an administration tool to be able to access the plaintext version of a user's password. Typically passwords are stored in a so-called hash, which still allows a user to login but means a company doesn't store the original version of the password (Facebook recently announced it made the mistake of storing hundreds of millions of user passwords in plaintext).
A Myspace spokesperson told Motherboard that an internal Myspace administration tool "allows us to comply with law enforcement/court order subpoenas. It also enables us to protect our users from security and cyber bullying threats."
"Misuse of user data will result in termination of employment," the spokesperson wrote.
The Myspace spokesperson added that, today, access is limited to a "very small number of employees," and that all access is logged and reviewed.
Several of the former employees emphasised the protections in place to mitigate against insider abuse.
"Any tool that is written for a specific, very highly privileged purpose can be misused."
"The account access would be searched to see which agents accessed the account. Managers would then take action. Unless the account was previously associated with a support case, that employee was terminated immediately. This was a zero tolerance policy," one former employee, who worked in a management role, said.
Another former employee said Myspace "absolutely" warned employees about abusing Overlord.
"There were strict access controls; there was training before you were allowed to use the tools; there was also managerial monitoring of how tools were being used; and there was a strict no-second-chance policy, that if you did violate any of the capabilities given to you, you were removed from not only your position, but from the company completely," Nigam, the former CSO, said.
Nonetheless, the former employees said the tool was still abused.
"Any tool that is written for a specific, very highly privileged purpose can be misused," Wendy Nather, head of advisory chief information security officers at cybersecurity firm Duo, said in a phone call. "It's the responsibility of the designer and the developer to put in controls when it's being built to assume that it could be abused, and to put checks on that."
"Every company has it."
The industry has matured around insider data access, though.
"Ten years or more ago, we were trying to find the best way to handle not only the power we had and the capabilities we had, but how to use it with respect and with respect to privacy and security of our users," Nigam said. "Today, the industry is at a point where all of us who are in this business would look at somebody who is not doing these type of things as: you have to be an idiot, it's so obvious." Nigam also said that today, with the much greater amount of data and number of data sources, the responsibility of companies is significantly larger because the impact of misuse is that much greater.
Several tech giants and social media platforms have faced their own malicious employee issues. Motherboard previously reported Facebook has fired multiple employees for abusing their data access, including one as recently as last year. Last month, Motherboard revealed Snapchat employees abused their own access to spy on users, and described an internal tool called SnapLion. That tool was also designed to respond to legitimate law enforcement requests before being abused.
In 2005, News Corporation bought Myspace's parent company for $580 million before selling it to online advertising company Specific Media and popstar Justin Timberlake for $35 million in 2011. The platform was surpassed in popularity by Facebook and, though it still exists, Myspace has just a fraction of its former influence and cultural cachet. In 2016, data hacked from the company trickled down to the public internet, and included hashed user passwords which hackers later cracked.
Tom Anderson, the creator of the social network and default first friend of everyone on Myspace, did not respond to requests for comment sent via Twitter direct message and email.
Subscribe to our new cybersecurity podcast, CYBER.