Over the last few weeks there have been some very large data dumps made public, with the data from past LinkedIn and Myspace breaches perhaps being the most notable. Due to the allegedly weak encryption used to protect the data, there is also concern that credentials from the Myspace dump in particular could be used in phishing attempts and attempts to log in to accounts on other popular services such as Facebook and Twitter. While the data is aged, it is quite possible that some users may not have changed their passwords within the last three years.

High-Profile Account Takeovers

Reports recently surfaced describing the takeover of some very high-profile users’ social media accounts, including Facebook CEO Mark Zuckerberg, singer Katy Perry, reality star Kylie Jenner and Twitter founder Evan Williams. Other notable Twitter accounts also recently compromised include those of the NFL and rapper Drake, Mashable reported. Whether these account takeovers are related to user details from the dumps is unknown.

The group allegedly behind the takeover of the Zuckerberg and Williams account hacks goes by the name of OurMine. The group has been associated with the account takeovers of popular YouTube posters. According to a report from Akamai, in 2015 the group was responsible for a series of distributed denial-of-service (DDoS) attacks against financial institutions, with the largest attack clocking in at some 117 Gbps.

When we checked the OurMine Twitter account after the Zuckerberg takeover, it had been suspended, but the Google cache version showed almost 50,000 followers. A cached copy of that account also revealed the group claimed to have access to some of Bill Gates’ accounts. The attackers appear to have created a backup account in May 2016, which they used when conducting their next wave of cyberattacks.

Through this Twitter profile, the group claimed to have accessed accounts belonging to DJ and music producer David Guetta along with Evan Williams. This account has now also been suspended. According to ValueWalk, the attackers first obtained access to Williams’ profile via his Foursquare account.

The official Twitter blog reported that the site investigated reports of usernames and passwords being available on the Dark Web. In the post, the company stated it is confident usernames and passwords were not obtained through a breach but more likely is a collection of credentials obtained through breaches of other sites or possibly credential-stealing malware.

Twitter checked the details obtained against user accounts, identifying at-risk accounts and others that had “direct password exposure.” These accounts were locked and required a password reset.

We Live Security reported that some 32 million login credentials for the social media site are available on the Dark Web. Whether the username and password details for all accounts are accurate is another question, but it would seem apparent from the hacks and Twitter’s response that at least some of them are.

More Than Just Bragging Rights

You may wonder why the takeover of a social media account is important. What can the attackers do beyond post some rude or braggadocian tweets?

In the case of the Katy Perry account takeover, The Guardian reported that those responsible uploaded one of her unreleased songs to the music hosting site SoundCloud. It’s not clear how these two incidents are related, but it’s possible that additional nefarious actions took place to obtain the song.

A more serious example of what a compromised social media account can lead to occurred in 2013, when the Twitter account of the Associated Press was taken over. A tweet from the compromised account claimed that there had been explosions at the White House and that the president had been injured. Since the AP is a verified account, the tweets were taken seriously and resulted in a sharp drop in the Dow Jones for a few minutes. The single tweet caused a $200 billion drop in the U.S. stock market.

While the Dow recovered and the Twitter account was suspended, this incident demonstrates just what can happen. There’s also the potential for malware distribution via account compromise. For example, Kevin Bacon’s Twitter account was taken over and a link posted to his hundreds of thousands of followers, which sent them to a site that harvested their credentials. Obfuscated links in tweets, often using URL shorteners, can also send clickers to drive-by download sites to get infected with malware.

Other potential consequences of account takeovers stem from password reuse. Getting hacked is easy when you’re using the same login credentials between applications.

Even if there are no serious consequences of a social media account takeover, explaining to friends that those nasty posts you made were the result of being hacked may not be totally believable; this has become the go-to answer when people wish to avoid responsibility for something they posted.

How to Protect Against Takeovers — Small Steps, Big Gains

Whatever the method being used by attackers to compromise accounts, there are some simple steps you can take to help keep your profiles safe and protect yourself from hacks.

The most important step is also the easiest to implement. If you used the same email address for multiple services (i.e., for TeamViewer and Twitter), make absolutely sure that the password for each account is different.

Keeping track of accounts and passwords can be a headache, so using a password manager to store those details makes sense. Make sure that it has a strong master password; the login credentials for that application would be very valuable to attackers, allowing them access to the details for every account stored in it.

Other recommendations:

  • Turn on out-of-band or two-factor authentication. Many providers will email or text you a code to confirm your identity if you need to recover a password or perform administration on your account. Google Authenticator is an example of an out-of-band authentication mechanism.
  • Use automatically generated passwords instead of trying to come up with unique ones yourself. Most password managers provide this capability.
  • If you own your own domain and your provider allows you to set up a catchall email account (i.e., any account name in the domain gets delivered to the main mailbox), use slight variations for each web account — for example, [email protected] This helps you determine where your account credentials were harvested, whether it’s a hack or simply the provider selling your account name for marketing purposes.

Taking the steps outlined above can go a long way in helping you be confident that your voice remains your own in the world of social media.

More from Threat Intelligence

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…