The official HBO and Game of Thrones Twitter and Facebook accounts were hacked early today. HBO rapidly reclaimed the accounts, and it does not appear the attackers were able to breach anything beyond the accounts themselves. #HBOHacked was trending on Twitter shortly after the incident.
This event comes on the heels of both a data breach on HBO network and a third-party broadcaster accidentally leaking a highly-anticipated Game of Thrones episode.
The night before the social media attack, HBO Nordic in Spain mistakenly published the newest unreleased Game of Thrones episode. It was live for over an hour, ensuring it quickly spread across the internet.
Two weeks prior, hackers breached HBO’s corporate network and exfiltrated 1.5 terabytes of data, including scripts for an unaired episode of Game of Thrones and full episodes of Ballers and Room 104. These were leaked the following day, and hackers threatened to leak even more data, including internal emails, unless HBO paid a ransom of nearly $6 million in bitcoin.
While it’s unclear whether that network breach and the account takeover were directly related, it is possible that data from the former helped other hackers carry out the latter. Pivoting from breached data to take over digital and social accounts is a common tactic referred to as credential stuffing. It’s also possible that attackers chose to target HBO’s social accounts merely because the company had been at the center of security news for several weeks running.
Account takeovers are nothing new. Major accounts including the Associated Press and USCENTCOM have be hacked in the past, and ZeroFox has written extensively on both the prevalence and cost of account takeovers. Attacks like these are an increasingly common occurrence, and cyber criminals, hacktivists and cyber vandals regularly target highly-visible accounts to spread their message or demonstrate their hacking skills. These accounts often prove to be easy targets, especially for organizations that have not fully incorporated their business’ social media presence into their security protocols. In a business landscape where an organization’s Twitter or Facebook account is as important (or even more important) than a company website, organizations need to significantly boost controls around social accounts and other social or digital business assets.
Account Security Best Practices and Recommendations
Social media is an effective attack vector for malicious actors. We have tracked account compromises resulting from credential stuffing, weak passwords, lack of two-factor authentication, social app hacking and phishing payloads. This attack most likely stemmed from the compromised personal account of an corporate account manager, and the attackers subsequently pivoted to compromise the corporate social media accounts themselves. It is important to consider social media security in your company’s threat model, as an attack like this could also have been used to pivot into the corporate infrastructure.
ZeroFox’s Alpha Team recommends the following best practices when it comes to social account security:
- Use a randomized password for each of your social media accounts; a password manager like LastPass or DashLane can help make this easier.
- Enable two-factor authentication on all social networks; use Google Authenticator or Duo instead of SMS when available.
- Curate and remove any social apps you are not using, as those can be leveraged for account takeover.
- Monitor usage of your corporate accounts for account takeover indicators with a tool like ZeroFox.
The ZeroFox Platform provides businesses critical controls for their social assets. Moreover, ZeroFox’s flexible FoxScript language allows customers to rapidly deploy custom protection against specific threats. To learn more about the ZeroFox Platform and how we protect our customers from social threats, schedule a demo today.