‘Leak provides easy access to MySpace accounts’

Security researcher Leigh-Anne Galloway discovered while deleting her MySpace account that accounts of others are easy to take over. The method uses the account recovery feature.

Galloway writes that there is a possibility to restore a MySpace account, even if there is no longer access to an email address. She found this opportunity when she wanted to delete her own account. On the relevant page it is possible to reset the password of an account by filling in a number of details, including name, date of birth, username, zip code and city. The page gives the impression that the request is checked by a person.

However, the researcher found that it was only required to fill in the name, username and date of birth. The current e-mail address is not validated. Galloway states that it is quite easy to find the necessary data on the basis of public data and thus gain access to arbitrary accounts. For example, the username appears in the url of a profile and the name and date of birth can be found in other ways.

She reported her findings to MySpace, but only got an automatic response. With no further response, she has now published her discovery. She refers to the data breach that came to light in 2016, in which 360 million account details were leaked. In the period since then, MySpace said measures were being taken to improve security. While MySpace is no longer relevant as a social network, its security is, Galloway said.