July 5, 2016 By Lyndon Sutherland 4 min read

Over the last few weeks there have been some very large data dumps made public, with the data from past LinkedIn and Myspace breaches perhaps being the most notable. Due to the allegedly weak encryption used to protect the data, there is also concern that credentials from the Myspace dump in particular could be used in phishing attempts and attempts to log in to accounts on other popular services such as Facebook and Twitter. While the data is aged, it is quite possible that some users may not have changed their passwords within the last three years.

High-Profile Account Takeovers

Reports recently surfaced describing the takeover of some very high-profile users’ social media accounts, including Facebook CEO Mark Zuckerberg, singer Katy Perry, reality star Kylie Jenner and Twitter founder Evan Williams. Other notable Twitter accounts also recently compromised include those of the NFL and rapper Drake, Mashable reported. Whether these account takeovers are related to user details from the dumps is unknown.

The group allegedly behind the takeover of the Zuckerberg and Williams account hacks goes by the name of OurMine. The group has been associated with the account takeovers of popular YouTube posters. According to a report from Akamai, in 2015 the group was responsible for a series of distributed denial-of-service (DDoS) attacks against financial institutions, with the largest attack clocking in at some 117 Gbps.

When we checked the OurMine Twitter account after the Zuckerberg takeover, it had been suspended, but the Google cache version showed almost 50,000 followers. A cached copy of that account also revealed the group claimed to have access to some of Bill Gates’ accounts. The attackers appear to have created a backup account in May 2016, which they used when conducting their next wave of cyberattacks.

Through this Twitter profile, the group claimed to have accessed accounts belonging to DJ and music producer David Guetta along with Evan Williams. This account has now also been suspended. According to ValueWalk, the attackers first obtained access to Williams’ profile via his Foursquare account.

The official Twitter blog reported that the site investigated reports of usernames and passwords being available on the Dark Web. In the post, the company stated it is confident usernames and passwords were not obtained through a breach but more likely is a collection of credentials obtained through breaches of other sites or possibly credential-stealing malware.

Twitter checked the details obtained against user accounts, identifying at-risk accounts and others that had “direct password exposure.” These accounts were locked and required a password reset.

We Live Security reported that some 32 million login credentials for the social media site are available on the Dark Web. Whether the username and password details for all accounts are accurate is another question, but it would seem apparent from the hacks and Twitter’s response that at least some of them are.

More Than Just Bragging Rights

You may wonder why the takeover of a social media account is important. What can the attackers do beyond post some rude or braggadocian tweets?

In the case of the Katy Perry account takeover, The Guardian reported that those responsible uploaded one of her unreleased songs to the music hosting site SoundCloud. It’s not clear how these two incidents are related, but it’s possible that additional nefarious actions took place to obtain the song.

A more serious example of what a compromised social media account can lead to occurred in 2013, when the Twitter account of the Associated Press was taken over. A tweet from the compromised account claimed that there had been explosions at the White House and that the president had been injured. Since the AP is a verified account, the tweets were taken seriously and resulted in a sharp drop in the Dow Jones for a few minutes. The single tweet caused a $200 billion drop in the U.S. stock market.

While the Dow recovered and the Twitter account was suspended, this incident demonstrates just what can happen. There’s also the potential for malware distribution via account compromise. For example, Kevin Bacon’s Twitter account was taken over and a link posted to his hundreds of thousands of followers, which sent them to a site that harvested their credentials. Obfuscated links in tweets, often using URL shorteners, can also send clickers to drive-by download sites to get infected with malware.

Other potential consequences of account takeovers stem from password reuse. Getting hacked is easy when you’re using the same login credentials between applications.

Even if there are no serious consequences of a social media account takeover, explaining to friends that those nasty posts you made were the result of being hacked may not be totally believable; this has become the go-to answer when people wish to avoid responsibility for something they posted.

How to Protect Against Takeovers — Small Steps, Big Gains

Whatever the method being used by attackers to compromise accounts, there are some simple steps you can take to help keep your profiles safe and protect yourself from hacks.

The most important step is also the easiest to implement. If you used the same email address for multiple services (i.e., for TeamViewer and Twitter), make absolutely sure that the password for each account is different.

Keeping track of accounts and passwords can be a headache, so using a password manager to store those details makes sense. Make sure that it has a strong master password; the login credentials for that application would be very valuable to attackers, allowing them access to the details for every account stored in it.

Other recommendations:

  • Turn on out-of-band or two-factor authentication. Many providers will email or text you a code to confirm your identity if you need to recover a password or perform administration on your account. Google Authenticator is an example of an out-of-band authentication mechanism.
  • Use automatically generated passwords instead of trying to come up with unique ones yourself. Most password managers provide this capability.
  • If you own your own domain and your provider allows you to set up a catchall email account (i.e., any account name in the domain gets delivered to the main mailbox), use slight variations for each web account — for example, [email protected]. This helps you determine where your account credentials were harvested, whether it’s a hack or simply the provider selling your account name for marketing purposes.

Taking the steps outlined above can go a long way in helping you be confident that your voice remains your own in the world of social media.

More from Threat Intelligence

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today