MySpace Login Security Flaw: Network Fixes Vulnerability That Let Anyone Hijack Account With A Birthday
MySpace, the long-forgotten social network, just got around to closing a massive security loophole that allowed anyone to hijack an account with a simple piece of often-publicly available information.
According to security researcher Leigh-Anne Galloway, the MySpace account recovery page included an apparent flaw that would allow any person to gain access to an account if they knew the account holder’s birthday.
Read: Spotify Hacked? Thousands Of Accounts’ Login Credentials Released By The Leak Boat
On the recovery page of the social network, which is designed to help users regain access to their account if they have lost or forgotten their password, there are just four pieces of information linked to an account: the account holder’s name, username, email address and birthday.
The real name and username of the account holder is publicly listed on the profile page, and Myspace doesn’t perform a check to see if the email address entered by the person attempting to recover the account is correct. In essence, the only thing a person needs to know to hijack an account is a person’s birthday—a relatively easy piece of information to find.
Galloway discovered the flaw in April and has been pushing MySpace to fix it. The social network, which has dropped to about 50 million monthly active users—a fraction of Facebook’s two billion users per day—ignored the warning from the security researcher.
“It seems Myspace wants us all to take security into our own hands,” Galloway wrote in a blog post disclosing the vulnerability. “If there is a possibility that you still have account on Myspace, I recommend you delete your account immediately.”
Read: Is My Password Secure? How To Change, Make Strong Passcode After A Hack
Once the vulnerability was made public by Galloway and highlighted by a number of publications, MySpace finally made the decision to pull the account recovery page in order to make the vulnerability inaccessible to anyone who may want to abuse it. A version of the account recovery page is still viewable via an archived page.
While the recovery page is troubling, especially given how easy it makes it for any person to gain access to an account that is not theirs, it’s also not the first time MySpace has left its users exposed.
In 2016, a database of more than 427 million MySpace account credentials appeared online. Those usernames and passwords came from a hack that occurred in 2012 but was never disclosed to MySpace users.
Those passwords and usernames not only put many of those MySpace accounts—which have since been abandoned by the users who created them—at risk, but also any other account associated with those users. Since many people use the same password, having one account password published online can lead to several being compromised.
Users who would rather not risk the possibility of this or a similar vulnerability leading to their account being compromised can delete their account by logging into their MySpace account, going to “My Stuff,” then “Account Settings.” At the bottom of the page is an option that says “Delete Account.” Click it, then go to your email inbox and look for an email from MySpace that will ask you to confirm the action.
© Copyright IBTimes 2024. All rights reserved.