The last few weeks have seen a number of social networking accounts belonging to high-profile tech company CEOs getting hacked and making posts. First there was Facebook’s Mark Zuckerberg, with his accounts on LinkedIn, Twitter, and Pinterest getting breached. Then the same thing happened to Google CEO Sundar Pichai and his Quora profile. The latest to join the club is Twitter’s Jack Dorsey, who saw his account on his own platform briefly compromised this weekend.
What’s even more surprising is that it was hackers going by the name “OurMine” that were behind all three breaches, in addition to recently gaining access into the social media accounts of Daniel Ek, Spotify’s CEO. Like in those previous cases, OurMine basically used Dorsey’s Twitter account to brag about its achievement.
At around 2:50 AM ET on Saturday, the hackers posted a tweet on the @jack account saying “Hey, it’s OurMine, we are testing your security, visit ourmine.org,” along with their calling card: a video with a silly song. That same message was repeatedly posted over and over again, but the tweets were quickly deleted and around 45 minutes later Dorsey was in control of his account again.
While Twitter accounts get hacked everyday, what’s interesting about this incident — aside from the fact that it was the account belonging to a Twitter co-founder — is that the hackers gained access by breaking into a different social media account that had rights to post to Twitter. All of OurMine’s tweets on Dorsey’s account came from Vine. The same tactic was used in Pichai’s case, with the Quora account being used to make tweets.
While it’s not certain, there’s a good chance the hackers are finding such success by discovering that these CEO’s various accounts share the same password. When a company sees its user data hacked, such as with LinkedIn in 2012, if a password is shared across multiple accounts, and then not updated, it makes it easy for attackers to run amok.
Let Dorsey’s embarrassment serve as a public service announcement: never re-use passwords, take advantage of a password manager to keep track of unique logins, and always use two-factor authentication when available.