Facebook top dog Mark Zuckerberg had several of his social media accounts breached and defaced, according to reports that surfaced Sunday.
Zuckerberg’s Twitter, LinkedIn and Pinterest memberships were hacked, but evidence of the attacks quickly disappeared, according to Engadget, which copied and posted samples of the vandalism before they were erased.
“No Facebook systems or accounts were accessed,” Facebook said in a statement provided to TechNewsWorld by spokesperson Jay Nancarrow, and affected Twitter, LinkedIn and Pinterest accounts have been re-secured using best practices.
The latest breach could be linked to one that occurred at LinkedIn in 2012, according to one line of speculation. The reasoning is that Zuckerberg’s password for LinkedIn was exposed in that breach and then used to access his other accounts.
However, LinkedIn last week said that it had reset the passwords to all the accounts affected by the 2012 breach, which casts doubt on that explanation.
Orphan Twitter Account
In addition to requiring passwords, Twitter and LinkedIn protect their accounts with optional two-factor authentication.
However, “knowing the group that did this, my guess is they did not crack two-factor authentication,” said Chris Webber, security strategist at Centrify.
“My guess is that Zuckerberg did not have [2FA] turned on on these sites,” he told TechNewsWorld. “This may be a case of a weak password being stolen from 2012 that still worked.”
While many prominent figures use Twitter extensively, Zuckerberg isn’t one of them.
“He did not have a high-profile Twitter account,” noted Sean Sullivan, a security researcher at F-Secure Labs.
“He hadn’t posted to it in years,” he told TechNewsWorld. “He obviously didn’t care about it much, which is why he used the same password between sites.”
Mischief Not Malevolence
High-profile data breaches can result in damage to the brand of a hacked organization.
Consumers hold companies more accountable for data breaches than they hold the hackers behind the breaches, Webber pointed out, citing a Centrify survey.
Rather than take the organizations to task for this latest intrusion, consumers should take heed, he suggested.
“In this case — knowing that LinkedIn and Twitter have multifactor authentication that wasn’t turned on — this should be a call to action for the rest of us to turn on multifactor authentication and help keep these account hijackers at bay,” Webber said.
The group claiming responsibility for the account hijackings, OurMine Team, seem more interested in mischief than malevolence.
“Attacks to social media accounts can be harmful, but typically it is more a case of hacktivism and ego than an attempt to truly cause damage,” said John Bambenek, manager of threat systems at Fidelis Cybersecurity.
“It almost entirely revolves around building a name for yourself at the expense of others,” he told TechNewsWorld.
More to Come?
The hijacking of the Zuckerberg accounts comes on the heels of the commandeering of pop singer Katy Perry’s Twitter account last week.
“We used to see these hacks occur in waves, but now these things are cropping up almost on a weekly basis,” Gurucul CEO Saryu Nayyar told TechNewsWorld.
“There were over 700 million accounts compromised in the LinkedIn, Tumblr and Myspace breaches,” added John Shier, a senior security analyst with Sophos.
“You can bet, as with any breach, there are people out there trying to access those compromised accounts,” he told TechNewsWorld. “It’s not a stretch to think that out of 700 million accounts, some of those might belong to high-profile individuals.”
The compromise of Zuckerberg’s personal accounts may be an embarrassment to him, but it may be even more so for the security folks at Facebook.
“The security culture of any enterprise is set by the actions and attitudes of its top leadership,” observed Leo Taddeo, chief security officer for Cryptzone and former head of the cyber division in the FBI’s New York Office.
“By dropping the ball on his own password security, Mark Zuckerberg undermined the security culture for the employees at Facebook,” Taddeo told TechNewsWorld, as well as for “all of us who see him as an example to follow.”