Science

MySpace Security Flaw Gave a Final Reason to Delete Your Account

How to get your old MySpace back and then kill it forever.

by Nick Lucchesi
Flickr / LillyAnnShaw

A lot of people have old undeleted MySpace profiles, but a security flaw exposed Monday finally gives us all reason to save any old photos and delete them for good.

Security researcher Leigh Anne Galloway writes in a post that all anybody needed — up until MySpace pulled down the form on Monday after her post was published — to take over your old MySpace account was three pieces of information, which with a little inspired Googling, could typically be found online:

  • Your name
  • Your MySpace user name (“xSceneKid_420_69x,” for example)
  • Your date of birth

One piece of information you didn’t need to access your old MySpace account — or if you’re a hacker, someone else’s — was the password. Which was a bad thing.

Galloway came across this hole in the system when she was trying to close her MySpace account.

First a little back-story: MySpace was the victim of a massive — 360 million accounts-massive — hack in 2016. As a reaction, MySpace hurt its own already-struggling business by invalidating every old user password as way burn up the user data that had leaked online. This happened to every account created before June 11, 2013 on the original MySpace platform — so, probably your account.

The MySpace account recovery form that stated the current email address and the email address you had for MySpace were required, but actually weren't.

leigh-annegalloway.com

To gain access to your MySpace account post-hack, the company set up an an account recovery page, myspace.com/account/recovery. The problem was that fields marked as required on the form weren’t actually required, which why somebody only needed the three pieces of data you see above in order to see your photos from the statistically likely year of 2006. Even though the field marked “current email address” had an asterisk next to it — meaning it was “required” — it in fact was not required. Neither was “email address on account.”

MySpace has taken down the account recovery form you see above and has replaced it with this one you see below, which requires more information:

This is part of the form

Here’s how to delete your MySpace account, if you’d like to avoid having your account taken over by any future security flaws. After gaining access of your old account (if you haven’t already done that), then save your old photos — oh god oh god look at your hair then — and then find the little gear icon in the lower-left hand corner of the screen if you are on desktop.

How to Delete Your MySpace Account Once-and-for-All:

  1. Go to Account Settings.
  1. Click on the little gear icon.
  1. Click “Account” from the pop-up menu.
  1. Click “Delete Account.”
  1. You’ll be met with a survey modal. G’head and click whatever option feels appropriate to you.

This feels like the right choice.

  1. Wow, it’s gone. The Myspace homepage reloads. Try to click the Sign-In option. Your email and password combo won’t work. Your MySpace, like your scene hair, has been cut off forever.
Related Tags