Mark Zuckerberg’s social media accounts on Pinterest and Twitter were hacked by an organization who call themselves OurMine. The hackers cheekily sent Mr. Zuckerberg a message from his account.
Mark Zuckerberg’s social media accounts on Pinterest and Twitter were hacked by an organization calling itself OurMine. The hackers cheekily sent Mr. Zuckerberg a message from his account, saying, “We are just testing your security”.
The hackers reportedly gained access through account details exposed by the LinkedIn data breach in 2012 when over 100 million accounts were compromised.
Two questions immediately spring to mind. Firstly – why hasn’t he activated stronger login protocol using 2 factor authentication through his mobile phone? And secondly – has Mr. Zuckerberg not changed his password since then?
In 2011, Facebook itself introduced ‘Login Approvals’, so that when you login in from an unknown device, it authenticates you through a text message sent to your mobile phone. The blog post on Facebook’s page that announces the feature states:
“As more individuals and businesses turn to Facebook to share and connect with others, people are looking to take more control over protecting their account from unauthorized access”
You would assume that Mr. Zuckerberg would understand the risks associated with his own social media accounts, having developed a solution for users of his own social media site.
We can all understand that we sometimes use the same password on several sites; we are all guilty of that. But to not have changed the password on those sites after such a big data breach, such as LinkedIn’s, could be described as naïve – maybe irresponsible.
Let’s not judge too quickly, though, because we have to remember that most celebrities and billionaires don’t Tweet and post content themselves (I do all my own!). It’s normal to have teams of marketing and public relations people controlling their online presence and identity as part of their overall brand. These teams likely have access to the same account, maybe using the same login credentials year after year. Securing an account that has shared access requires using Tweetdeck and then every user needs to setup their options authentication. Then each user signs in in with their own twitter account and has access to the shared account, they can manage their own settings and while they can setup 2 factor authentication they also might not and therefore your shared account is as strong as the weakest settings of the shared account users.
There are solutions out there that allow shared access, and Tweetdeck, for example, offers this for Twitter, but it was not released until 2015. The Twitter account of Mr. Zuckerberg has not shown a Tweet since 2012, until it was recently hacked. An account that is not used to post content is probably not thought to be a risk, which of course is wrong. And the account may not even be used to consume content.
The moral of the story is that we should:
- Enable 2 factor authentication, using either the option to validate using a mobile device every time you login or at least to authenticate when a new device is trying to access your account.
- When there is a data breach that may involve your data, do not sit back and think it will not happen to you, change passwords. If you are using the same password on several accounts, change it on them as well and make them all unique.
- Delete or suspend inactive accounts that you no longer use; if suspending them, turn on 2 factor authentication so that only you can re-activate them at a later date.
Personally, I use the option to authenticate through my mobile phone. While this causes some inconvenience when logging in, it does provide me with the confidence that I have the best option to be secure turned on.
Mr. Zuckerberg got lucky this time around as the hackers just wanted the kudos of hacking his account. I can only imagine the chaos this caused his marketing and PR people, running around in panicked circles, vowing to never let this happen ever again.
June 7, 2016