Myspace fixes account security hole – but delete your account anyway

If you don’t use it, delete it.

Myspace fixes account security hole - but delete your account anyway

As we reported yesterday, a shocking security hole was found in Myspace (remember Myspace?) that meant anyone could seize control of your account just by knowing your your name, username, and date of birth.

Yes, somewhere there’s a village missing its idiot. And the idiot’s name is Myspace.

The mindbogglingly awful weakness in Myspace’s security was uncovered by researcher Leigh-Anne Galloway who privately informed the primordial social network back in April.

Sign up to our free newsletter.
Security news, advice, and tips.

That security hole would be bad enough, but what was really appalling was the only response Leigh-Anne received from Myspace was an automated “Thanks for contacting Myspace” email.

It was only when, in her frustration, Leigh-Anne went public about the problem that Myspace finally saw fit to take some action. Which, thankfully, it now has – blocking access to the old, risky account recovery webpage.

Myspace account recovery old

So, problem over?

No, I don’t think so.

You see, if something *that* bad can be present on Myspace I wonder what other problems might lurk there?

Chances are that many people who have Myspace accounts created them years ago, and in all likelihood never visit the site anymore.

If you’re on of those people, and have no use for the site, why not delete your Myspace account rather than risk something bad happening? At the same time, you might be wise to have a think about what other ancient websites you might have joined long, long ago before you got more sensible about things like choosing strong, unique passwords.

Don’t forget, by the way, that someone was claiming to sell hundreds of millions of stolen Myspace account details last year…

For further discussion of this incident take a listen to this episode of the “Smashing Security” podcast:

Smashing Security #034: 'The pen is mightier than the password'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Myspace fixes account security hole – but delete your account anyway”

  1. Gulraj Rijhwani

    Absolutely right. After all MySpace has a long and chequered history as regards security anyway. A lassaiz faire attitude has been endemic since its inception. Remember the ability to "personalise" your page by embedding stored code in your account data – XSS for all? Or the public exposure of 360 million account credentials in 2016 which had actually been exfiltrated 3 years earlier?

    Whatever's under that bonnet isn't worth trusting.

  2. Vito

    The MySpace site is non-intuitive, cumbersome to use, unfriendly to my browser, relentlessly buggy, and nearly impossible to use with NoScript…even with the "Temporarily allow all this page" setting. I almost never use the site, and fully intended to delete my account after reading this article.

    So I went there and tried to log in, and found that my password didn't work. Uh-oh…

    As it turned out, I was able to reset my password, after which I was able to login and visit my account. To my surprise, I had several new connections from people I respect, so I decided to keep the account. But I still think it's a poorly designed, buggy interface. For now, it's probably worth maintaining a presence there, but MySpace is in desperate need of a redesigned interface.

    As for the security of my personal information, there's nothing worth stealing. All of my profile information (including my date of birth) is fictitious. I never trusted MySpace to handle my data securely in the first place.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.