Is Zuckerberg Tough Enough on Security?
Recent news reports revealed that several of Zuckerberg‘s social media accounts were breached and defaced by hackers about a week back. Among Zuckerberg’s compromised accounts were his Twitter, LinkedIn and Pinterest memberships. Evidence of the attacks disappeared quickly after popping up, though tech news source Engadget was managed to copy and post samples of the vandalism before it disappeared.
Facebook clarified to its users that no systems or accounts were accessed. Authorities believe that Zuckerberg’s LinkedIn password was compromised in 2012 and that information likely exposed him to the more recent breaches. However, since LinkedIn claimed that it had reset the passwords to all accounts affected by the 2012 breach, many have found reason to doubt the explanation for how the account breach happened.
LinkedIn and Twitter protect their users’ accounts with a two-factor authentication that makes entering into another’s account more than a password away. That said, according to Chris Webber, security strategist at Centrify, “knowing the group that did this, my guess is they did not crack two-factor authentication… My guess is that Zuckerberg did not have 2FA turned on on these sites.”
“This may be a case of a weak password stolen from 2012 that still worked,” Webber concluded.
While Zuckerberg is a prominent figure in online society, he’s not much of a figurehead in the Twitter world.
“He did not have a high-profile Twitter account,” said Sean Sullivan, a security researcher at F-Secure Labs. “He hadn’t posted to it in years… He obviously didn’t care about it much, which is why he used the same password between sites.”
While high-profile data breaches can damage the brands of all parties involve (think cheater dating sites, the NSA data breach facilitated by Edward Snowden, etc.), this particular case of hacking seems to be more an instance of mischief than malevolence.
“In this case, knowing that LinkedIn and Twitter have multifactor authentication that wasn’t turned on, this should be a call to action for the rest of us to turn on multifactor authentication and help keep these account hijackers at bay,” said Webber.
The group that took credit for the account hijackings is called OurMine Team, and is more of a pranking team than a group of cybercriminals.
“Attacks to social media accounts can be harmful, but typically it is more a case of hacktivism and ego than an attempt to truly cause damage,” explained John Bambenek, manager of threat systems at Fidelis Cybersecurity.
“It almost entirely revolves around building a name for yourself at the expense of others,” Bambenek added.
Zuckerberg’s account was hijacked shortly after famous pop singer Katy Perry’s Twitter account was commandeered a week prior.
“We used to see these hacks occur in waves, but now these things are cropping up almost on a weekly basis,” commented CEO of Gurucul, Saryu Nayyar. “There were over 700 million accounts compromised in the LinkedIn, Tumblr and Myspace breaches.”
“You can bet, as with any breach, there are people out there trying to access those compromised accounts,” said John Shier, senior analyst with Sophos. “It’s not a stretch to think that out of 700 million accounts, some of those might belong to high-profile individuals.”