If you are above 30, the chances that you had a MySpace account before Facebook came along are high. My question to you in this Open Source Intelligence (OSINT) journey is this: What did you do with your account when you left? I expect the answer to be that you abandoned it and never looked back. While that may be okay to a degree, it was still mostly taboo to use or reveal your real full name. For the majority of people, they left this information behind. There is a good chance that their Facebook username is identical to their MySpace name.
How did you use your MySpace? Did you post anything that may be embarrassing? Any college days kegstand pictures? Partying in the club while visibly inebriated? If you answered yes, these could all surface if a persistent attacker or OSINT investigator went down the rabbit hole on your account. If you answered no, there still may be unflattering or embarrassing information about you.
To demonstrate this, I looked at some of my friends in the hacker and infosec community. I made note of their Twitter handles then applied the theory of username reuse to see if I could find their MySpace accounts and find out what was publicly available. In the interest of protecting my friends, I will not be saying whose accounts I assessed.
The first name who came to mind had a MySpace under the same username. Since I have spent time with them in person at conferences, I was immediately able to validate the profile based on their picture. This user listed their first and last name in addition to the single picture, but the only other thing I can see is their connections. In normal instances, this could be useful, but given the dated nature of MySpace data, the validity may have diminished.
The next is not someone that I have met in real life, but I have exchanged ideas in conversations on social media. I used their standard username and found a MySpace account. At first, I was not 100% sure that I had the right account. Scrolling through albums, I found the same picture that this person uses as Facebook and Twitter profile pictures. Using TinEye, I was able to correlate this person with their about me page on their website. This contained usernames and links to all social media platforms, except MySpace. I also learned that they use a different username on YouTube.
I searched for a very privacy conscious friend. They are so conscious that they do not use their real name on social media. While their account was set to Protected Mode without a picture, I still saw their real name.
My next target was an old school phreaker (pay phone hacker and fraudster) turned information security professional. This person only goes by their handle on Twitter and Facebook. Using this, I found their MySpace that included pictures of them talking on pay phones as well as using the Blue Box for phreaking activities. In their connections, I found numerous accounts associated with phones or with profile pictures of people on pay phones. This account also has connections with accounts associated with legalizing marijuana and Ron Paul, which is consistent with this person's real-world demeanor and beliefs.
One of the profile pictures used on the user above's page said that "Royal is locked up" with a prison address and what the person was allowed to receive. Through some more OSINT investigating, I was able to uncover that "Royal" plead guilty to one count of obstructing justice associated with another party swatting people in Texas. Swatting is the act of fooling police into believing that someone is a credible threat to the point where the SWAT team enters the unsuspecting victim's house.
When I moved to older people within the community, I could not find MySpace accounts for them. This could be due to a variety of reasons. The people may have not used MySpace. Alternatively, they may have used a different username or may have already deleted their account. Without asking them, there is no way (aside from the Wayback Machine) to find out.
In conclusion, this should be a stark reminder that the internet is permanent. When usernames are recycled across multiple platforms, it opens the owner to monitoring and investigation. Internet etiquette has somewhat changed since Facebook eclipsed MySpace as well as the way society handles privacy. Just because something is not actively in use or updated, does not mean that it is off limits for someone to go snooping through, whether innocently or for malice.
This post has been updated since it was originally posted. The original verbiage regarding "Royal" stated that he was arrested for swatting people as opposed to pleading guilty to one count of obstructing justice per a release from the Justice Department.
