When Myspace Was King, Employees Abused a Tool Called 'Overlord' To Spy on Users

During the social network's heyday, multiple Myspace employees abused an internal company tool to spy on users, in some cases including ex-partners, Motherboard reported on Monday. From the report: Named 'Overlord,' the tool allowed employees to see users' passwords and their messages, two former employees said. While the tool was originally designed to help moderate the platform and allow MySpace to comply with law enforcement requests, multiple sources said the tool was used for illegitimate purposes by employees who accessed Myspace user data without authorization to do so. "It was basically an entire backdoor to the Myspace platform," one of the former employees said of Overlord. (Motherboard granted five former Myspace employees anonymity to discuss internal Myspace incidents.) The abuse happened about a decade ago, closer to the height of the platform's popularity, according to multiple sources. In fall 2006, the platform signed up its 100 millionth user. Around this time, Myspace was the second most popular website in the U.S., and ranked higher than Google search. Further reading: MySpace Has Reportedly Lost All Photos, Videos and Songs Uploaded Over 12 Years Due To Data Corruption During a Server Migration Project (March, 2019).

Nothing on the internet

[phantomfive]

Nothing on the Internet is private, nothing on the Internet is forever.

Re:

[fustakrakich]

nothing on the Internet is forever.

"Forever" is pretty harsh. Let's just say everything on the internet is indefinite

Re:Nothing on the internet

[ShanghaiBill]

Nothing on the Internet is private, nothing on the Internet is forever.

That is one lesson.

Another is: If people have power, they will abuse it.

Re:

[tlhIngan]

nothing on the Internet is forever.

More correctly, if it's something you'll need in the future, the information will disappear shortly before you need it.

If it's something that will embarrass you or be used against you in the future, that information will be mirrored and made effectively permanent.

Re:

[Cito]

You know CmdrTaco has such a tool. He's just waiting for the right time to strike.

Authorization?

[Arzaboa]

There are plenty of companies on this planet today that give their workers full access to the back-end data as part of their job. Being a voyeur is a time-tested human pass-time. Ever heard a friend say they enjoyed people watching? Humans are curious about others for all sorts of reasons.

All of this happened before large privacy scandals became daily news. Can we go back and dig up dirt from years ago? Sure. Can we go back and judge what we did yesterday by today's rules? Yup. Can we go back and find procedures that were abused? Sure. Can we go back and find processes that were young, unregulated and in development? Of course.

If this sort of thing amazes anyone, they should go back and look at college yearbook photo's from before they were born.

--
You must be the change you wish to see in the world. -- Mahatma Gandhi

Re: Authorization?

[astrofurter]

Old rule from one of my first netsec jobs, that granted full access to everything in a big organization:

A White Hat doesn't read people's mail. Ever. End of discussion.

Re:

[aviators99]

It's an interesting socialogical question as to whether a specific "overlord-mode" that has been written (assumingly a GUI of some kind) is somehow worse than the fact that employees necessarily have access to the raw database. In reality, snooping will be done whether overlord-mode is written or not. I guess it just "looks worse" that there's a defined way to do it, but I don't think it means it will be *done* any more or less.

Are slashdotters surprised?

[NaCh0]

Anyone who has been a sysadmin will know that admins can see the entire system under their control.

Ideally Myspace would have used compartmentalized access and logged access for an independent security team to review for rouge access.

But this was 2006 and the new breed of internet coders didn't focus on these things. Unfettered growth was their biggest concern.

Think about the "free" services you use now... facebook, instagram, twitter, snapchat, reddit, & slashdot. Do you think the situation has really improved a whole lot for 2019? You are kidding yourself if you believe things have changed for the better.

Re:

[Zero__Kelvin]

"Anyone who has been a sysadmin will know that admins can see the entire system under their control."

Actually it is possible to compartmentalize admin duties so that your assertion isn't true. For example by implementing sharding and affording the ability to backup and restore different databases which take on meaning only when accessed as an aggregate, to different accounts with different credentials. In order to do this though you have to want to do this and see a need to do this. To be a bit realistic s

Less is more or more is less?

[AndyKron]

Of course they did. Did you expect anything less?

Really?

[cob666]

Why is this considered news? I'm sure that Facebook and other social platforms have very similar tools at their disposal and they're being abused much in the same way.

Nothing to see here... move along...

Re:

[sad_]

why limit yourself to social platforms? basically anything stored on a computer system will have some kind of implementation that allows this.
just check /. on the amount of article about police abusing one or another database to spy on girlfriends/wifes/etc or other such examples.

Is this news?

[The Grim Reefer]

I could be mistaken, but I thought this was reported 10 years ago. I probably wouldn't have remembered except I recall thinking it was pretty creepy that they were stalking their ex. Unless it was Facebook.which wouldn't surprise me either.

No!!!!

[dohzer]

No!!!! My favourite songs were meant to be private!

Inevitable.

[AlanObject]

Back in the '80s I visited the Compuserve central office and their operations center. I asked if the people running the network there could read the messages.

I got an unequivocal no and absolutely no. Not only were the employees not permitted to read the messages but there was no physical way to do so. Any activity that could open up a way to do so was strictly monitored.

Different world. They understood. And they had fed regulation.

When you have a class of workers unsupervised who have access to get at private communication they WILL monitor that communication. Some percentage of them will. Maybe not 100% but certainly it is not 0%.

And the percentage will go up if a target is sexually attractive to the person in the position to abuse. Anyone who denies this is either lying, delusional, or ignorant beyond words.

Other people's problems

[trolman]

After awhile you get tired of other people's problems. Ignorance is bliss I used to say.

Some other fun MySpace facts:

[Narcocide]

They stored your entire password in plain text, but they only authenticated you against the first 10 characters of it.
They stored and cataloged every single failed authentication attempt.
They sold and leaked both these sets of data (along with everything else) to advertisers while simultaneously leaking it to criminals as well as allowing their employees to access it for their personal gain.

Then, in what was either the biggest incidence of willful obstruction of justice ever committed or the single greatest

Re: Some other fun MySpace facts:

[astrofurter]

Surveillance Valley Razor:

Never attribute to incompetence that which can be adequately explained by malice.