Let me begin by apologizing to everyone who currently has a MySpace.com account. I assure you, my intent is not to put your information at risk. On the contrary, I am publishing this with the sincerest hope that you will improve your online behavior in a manner that makes such “attacks” fruitless. That being said, let us just move right into it.
In just 5 minutes I was able compiled a list of 30+ social security numbers, one credit card number (complete with expiration date), 12 login passwords, 100+ home addresses, and about 20 home phone numbers – all belonging to various members of MySpace.com. If this worries you, I apologize; but it gets worse. Everything I did was legal, and the only tool I used was Google.com. Is some of your personal information in my list?
To find out, try the attack yourself. Visit Google.com in another tab. In the search box, type the following:
Site:www.myspace.com “my phone number is”
Today, my search yielded about 138 results, most of which were solid hits on personal MySpace member pages on which someone was careless enough to reveal their phone number (presumably thinking only friends would see it). Try this one on for size:
into the search box of Google.com, Google will search every website whose URL starts with www.website.com, for the words “String of text here”. Since every MySpace user’s webpage URL is in the format: www.myspace.comusername, entering ‘site:www.myspace.com’ in the beginning of the search box will cause Google to search through the web pages of every single MySpace user that exists.
So, we now know how to focus the power of Google’s search engine on MySpace.com. The second half of the attack involves using this focused search power to find strings of words that usually come immediately before or after critical personal information. For example, personal telephone numbers are usually surrounded by phrases such as, “call me at”, “my cell number is”, “my phone number is”, “is my phone number”, and “call me at this number”. You may try replacing the word ‘number’ with the ‘#’ sign in some searches to yield different results.
So, how personal can we get? That all depends on how personal MySpace users get! As I write this, “my password is” reveals 7 real passwords when focused at MySpace.com. “My social security number is” yields about 6 Social security numbers. “My social security # is” (using ‘#’ in place of the word ‘number’) yields 1 additional number. “My mother’s maiden name is” reveals 6 maiden names. The slightly different version, “My mothers maiden name is” (with no apostrophe showing ownership in the word “mothers”) yields 6 different maiden names. “I lost my virginity to” yielded 35 hits… I didn’t even bother to look at how many were real.
To increase the effectiveness of your attack, try using common misspellings, improper grammar, slang terms, and abbreviations.
The information on MySpace is provided freely by the users, and is posted in an insecure format, available for anyone to search through. It is surprising, and even frightening, how many people freely give up sensitive information. You can try this “Googlehack” every few days, and you’ll see that there is a constant flow of new and sensitive personal information spewing out of MySpace. What’s worse, if you find that you have accidentally put some of your own personal information on your webpage, then go back and delete it, there is a chance that Google got to it first and cached it. Thus, much information remains accessible even after you’ve removed it from your own page.
My first piece of advice: stop putting personal information on the internet! If you are not using a secure website, you shouldn’t be peddling in secure content. If you’re personal information has been cached by Google, write them a polite email and kindly ask that it be removed, they will comply.
My second piece of advice: Spread this information around to everyone! People need to know, and see, why they shouldn’t put valuable information in an insecure format online.
One last thing, please teach your kids not to reveal personal information online. I don’t doubt that sexual predators use this technique just as much as identity thieves and friendly hackers. Sexual predators are bad. Since we can’t kill them, we should at least attempt to foil their plans!
(If you are interested in more electronic security related information, please leave a comment telling me so. If there is an audience for it I’ll keep it coming. Do realize that it will be very watered down information, like this article has been, as I want to communicate it to a general audience, not just the technically ‘elite’).
