Myspace is Ridiculously Easy to Hack, Have You Closed Your Account Yet?


Time Inc is the new owner of Myspace, a well-known and popular social networking website dating back to 2003 when Facebook and Twitter weren’t the top in social media.

Myspace had more than 76 million U.S. visitors in 2008 before it was crushed by Facebook.

Last year, Myspace suffered one of the largest breaches in history. Over 427 million Myspace users’ data was made available online. The data included username, email addresses, and other sensitive information like passwords. In response to this, Myspace confirmed the data breach and assured everyone that they would take significant measures to tighten security.

Viant, an ad tech company, took over Myspace from News Corp in 2011. Later, Viant positioned MySpace as a music-discovery site with access to millions of tracks and videos.  Viant has a user database of 1.2 billion globally including MySpace’s 1 billion. Last year, Viant became a subsidiary of Time Inc.

Time Inc. said it will focus on company’s assets to target online ads, link usage on devices with people and convert “ad spending to actual sales.” The acquisition comes with an advantage to stand apart from other media partners by offering both data-driven and premium content to marketers, while most of the media partners come with only either of them.

If your account in old Myspace is left unattended, it is time to get it deactivated. The recovery links on Myspace for those who’ve lost their passwords are not secure enough. The recovery page is set to ask only user name, email address and birthday date which can be hacked easily with a bit of research.

Many questions and jokes about My Space,” Murdoch tweeted in 2012. “Simple answer — we screwed up in every way possible, learned lots of valuable expensive lessons.”

Per Leigh-Anne Galloway’s post on her blog, the recovery page asks for the account holder’s name, username and original email address, and birthday. The first two details are publicly displayed on a person’s profile page, and the other information like the original email address is not used for any authentication, so it does not really matter if you key in the actual one or not. And, the birthday is something that anyone can figure out with a bit of research. By keying in this information in the recovery form, it prompts you to sign into the account, allowing you to reset the password.

So, the authentication for recovery is pretty simple for anyone to mimic and login into your account. If you’re not using your account, you’re better off deactivating it.