Over the last few weeks there have been some very large data dumps made public, with the data from past LinkedIn and Myspace breaches perhaps being the most notable. Due to the allegedly weak encryption used to protect the data, there is also concern that credentials from the Myspace dump in particular could be used in phishing attempts and attempts to log in to accounts on other popular services such as Facebook and Twitter. While the data is aged, it is quite possible that some users may not have changed their passwords within the last three years.

High-Profile Account Takeovers

Reports recently surfaced describing the takeover of some very high-profile users’ social media accounts, including Facebook CEO Mark Zuckerberg, singer Katy Perry, reality star Kylie Jenner and Twitter founder Evan Williams. Other notable Twitter accounts also recently compromised include those of the NFL and rapper Drake, Mashable reported. Whether these account takeovers are related to user details from the dumps is unknown.

The group allegedly behind the takeover of the Zuckerberg and Williams account hacks goes by the name of OurMine. The group has been associated with the account takeovers of popular YouTube posters. According to a report from Akamai, in 2015 the group was responsible for a series of distributed denial-of-service (DDoS) attacks against financial institutions, with the largest attack clocking in at some 117 Gbps.

When we checked the OurMine Twitter account after the Zuckerberg takeover, it had been suspended, but the Google cache version showed almost 50,000 followers. A cached copy of that account also revealed the group claimed to have access to some of Bill Gates’ accounts. The attackers appear to have created a backup account in May 2016, which they used when conducting their next wave of cyberattacks.

Through this Twitter profile, the group claimed to have accessed accounts belonging to DJ and music producer David Guetta along with Evan Williams. This account has now also been suspended. According to ValueWalk, the attackers first obtained access to Williams’ profile via his Foursquare account.

The official Twitter blog reported that the site investigated reports of usernames and passwords being available on the Dark Web. In the post, the company stated it is confident usernames and passwords were not obtained through a breach but more likely is a collection of credentials obtained through breaches of other sites or possibly credential-stealing malware.

Twitter checked the details obtained against user accounts, identifying at-risk accounts and others that had “direct password exposure.” These accounts were locked and required a password reset.

We Live Security reported that some 32 million login credentials for the social media site are available on the Dark Web. Whether the username and password details for all accounts are accurate is another question, but it would seem apparent from the hacks and Twitter’s response that at least some of them are.

More Than Just Bragging Rights

You may wonder why the takeover of a social media account is important. What can the attackers do beyond post some rude or braggadocian tweets?

In the case of the Katy Perry account takeover, The Guardian reported that those responsible uploaded one of her unreleased songs to the music hosting site SoundCloud. It’s not clear how these two incidents are related, but it’s possible that additional nefarious actions took place to obtain the song.

A more serious example of what a compromised social media account can lead to occurred in 2013, when the Twitter account of the Associated Press was taken over. A tweet from the compromised account claimed that there had been explosions at the White House and that the president had been injured. Since the AP is a verified account, the tweets were taken seriously and resulted in a sharp drop in the Dow Jones for a few minutes. The single tweet caused a $200 billion drop in the U.S. stock market.

While the Dow recovered and the Twitter account was suspended, this incident demonstrates just what can happen. There’s also the potential for malware distribution via account compromise. For example, Kevin Bacon’s Twitter account was taken over and a link posted to his hundreds of thousands of followers, which sent them to a site that harvested their credentials. Obfuscated links in tweets, often using URL shorteners, can also send clickers to drive-by download sites to get infected with malware.

Other potential consequences of account takeovers stem from password reuse. Getting hacked is easy when you’re using the same login credentials between applications.

Even if there are no serious consequences of a social media account takeover, explaining to friends that those nasty posts you made were the result of being hacked may not be totally believable; this has become the go-to answer when people wish to avoid responsibility for something they posted.

How to Protect Against Takeovers — Small Steps, Big Gains

Whatever the method being used by attackers to compromise accounts, there are some simple steps you can take to help keep your profiles safe and protect yourself from hacks.

The most important step is also the easiest to implement. If you used the same email address for multiple services (i.e., for TeamViewer and Twitter), make absolutely sure that the password for each account is different.

Keeping track of accounts and passwords can be a headache, so using a password manager to store those details makes sense. Make sure that it has a strong master password; the login credentials for that application would be very valuable to attackers, allowing them access to the details for every account stored in it.

Other recommendations:

  • Turn on out-of-band or two-factor authentication. Many providers will email or text you a code to confirm your identity if you need to recover a password or perform administration on your account. Google Authenticator is an example of an out-of-band authentication mechanism.
  • Use automatically generated passwords instead of trying to come up with unique ones yourself. Most password managers provide this capability.
  • If you own your own domain and your provider allows you to set up a catchall email account (i.e., any account name in the domain gets delivered to the main mailbox), use slight variations for each web account — for example, [email protected]. This helps you determine where your account credentials were harvested, whether it’s a hack or simply the provider selling your account name for marketing purposes.

Taking the steps outlined above can go a long way in helping you be confident that your voice remains your own in the world of social media.

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today