In-brief: Why the news that Facebook CEO Mark Zuckerberg had two, lightly protected social media accounts hacked is a bigger deal than you would think.
Facebook founder and technology wunderkind Mark Zuckerberg had both his Twitter and Pinterest accounts hacked over the weekend, reportedly using password information gleaned from the CEOs LinkedIn account.
As reported by the site Ars Technica and others, a hacking group going by the name of “OurMine Team” took control of Zuckerberg’s Twitter and Pinterest accounts, apparently using information from a major LinkedIn security breech that occurred in 2012.
Messages sent from OurMine Team claimed the passwords to Zuckerberg’s little-used Pinterest and Twitter accounts were the same as those for his LinkedIn login (“dadada”). The accounts were lightly used by Zuckerberg and both Twitter and Pinterest quickly restored control of the accounts over the weekend. Twitter has also suspended the account of the OurMine Team.
Facebook took pains to make clear that its systems were not affected.
“No Facebook systems or accounts were accessed. The affected accounts have been re-secured using best practices,” spokesman Jay Nancarrow told Security Ledger.
While some media reports suggested that the CEO’s Instagram account was affected, a source with knowledge of the incident said that was not the case. “(Facebook’s) security systems prevented the Instagram account from being accessed,” nor was Zuckerberg’s Facebook account affected, the source said.
Facebook declined to comment on whether Zuckerberg was using additional security features to secure his accounts, such as a “second factor” like a one time password. However, the compromises would suggest that he was not. Surveys of consumers have found that password fatigue produced by the proliferation of password protected web sites, social networks and applications has engendered loose behavior around account security, such as password re-use and a reliance on weak passwords.
Though the issue appears to be resolved, it counts as a serious security lapse for a notably security-conscious and technologically adept executive and his firm. Targeted phishing attacks are one of the main avenues by which high value targets, including executives, are targeted. The OurMine Team seemed content to shame Zuckerberg after compromising his accounts. However, a more stealthy attacker may have used that access to target others within Zuckerberg’s network, or even the CEO himself.
Though the LinkedIn breach is not new, it recently burst into the headlines again, when reports surfaced that 117 million passwords were actually exposed in the incident – far more than was initially believed. Password re-use between sites is widespread, if widely recognized as an insecure practice. And hackers using password data from one breach to try to gain access to other social media or corporate networks is a well-established pattern, as well.
The decision by a sophisticated executive like Zuckerberg to re-use a weak password between social media accounts is bad enough. The failure to update that password, even for little-used social media account, following a breach is almost inexcusable.
You can read more over at Ars Technica.