Hacker’s are targeting just about anyone these days, from the average Joe to Mark Zuckerburg, the inventor of the world’s most popular social network, who recently had a slew of his own social network accounts hijacked. If it can happen to Mark, the godfather of the social media revolution, it can happen to anyone.
Late May and early June were a rough few weeks in the world of social media security. A single hacker posted hundreds of millions of stolen user credentials from five major social network breaches and a dozen of celebrities and organizations had their accounts hijacked. And, you guessed it, they are all a part of the same story.
Breached Networks and Leaked Credentials
Five major social networks — LinkedIn, Tumblr, Myspace, Twitter and Russia’s VK — all suffered leaked user credentials. That’s not to say they were all breached in the past few weeks (LinkedIn, for instance, was compromised in 2012), but all were the subjects of major data dumps on cybercriminal marketplaces. The hackers allegedly responsible for the breach, Peace_of_Mind (or “Peace”) and Tessa88, are charging just $100 in bitcoin for each set of 100K credentials.
By the numbers, these data dumps collectively represent some the biggest in history: 160 million from LinkedIn, 68 million from Tumblr, 360 million from Myspace, 171 million from VK and 71 million from Twitter. We’re hesitant to total them because there is likely a good amount of overlap (more on that later).
The pair of hackers has hinted that they are far from done. Hacker Tessa88 said Instagram was their next target. In a bold interview with Wired, Peace claimed they have more data waiting to be dumped. “About another 1B users or so, again [from breaches] in the same timeframe: 2012-2013.”
The credentials were a mix of with and without “salt”, which is a type of password encryption (see here for an in-depth explainer). Salting involves adding random strings of characters to a password hash (an initial layer of encryption using a one-way function to store a password as a random string of characters). In hacker speak, a data dump “with salt” is more valuable.
Hijacked Accounts and Cyber Vandalism
Mark Zuckerberg was one of a slew of celebrities and organizations whose social media accounts were compromised. Other high-profile breaches included the NFL, Kylie Jenner, Lana del Rey, Tenacious D (Jack Black’s band), Yankee’s player Rob Refsnyder, Drake, Chelsea Handler, Keith Richards, Katy Perry and Bon Iver.
The hackers mostly posted spam and offensive tweets. The NFL’s account initially announced that Roger Goodell, the controversial commissioner for the league, had passed away. After thousands of retweets and only once conflicting reports began coming in, followers began to call out the fraudulent tweets.
Case Study: Mark Zuckerberg
So how do these two trends — network compromises and hijacked social accounts — go together? Are they two sides of the same coin, or an unhappy coincidence? For answers, let’s look to the Mark Zuckerberg hack.
Mark Zuckerberg lost control of both his Twitter and Pinterest accounts on June 5th for a short period of time. In one of the errant tweets, the hacker claimed that the LinkedIn data dump was to blame. But this begs an obvious question: how did a LinkedIn data breach in 2012 lead to a compromised Twitter account in 2016?
Ah yes, password reuse rears its ugly head once again.
About 7 in 10 people use the same passwords for the social media accounts as their corporate email. And clearly many users use the same password on multiple social networks. This fundamental truism of cybersecurity is why even the Myspace hack matters and why Peace and his accomplices can sell your credentials online for a nice profit.
Peace acknowledges that password reuse is one of the main reasons he can sell passwords for as much as he does. When asked how the stolen passwords are used by his buyers, Peace writes, “Well, [the] main use is for spamming. There is a lot of money to be made there, as [well as] in selling to private buyers looking for specific targets. As well, password reuse—as seen in recent headlines of account takeovers of high profile people. Many simply don’t care to use different passwords which allows you to compile lists of Netflix, Paypal, Amazon, etc. to sell in bulk.”
So herein lies the issue. Even a set of credentials stolen from Myspace half a decade ago still fetches a good price simply because the everyday user practices poor password security.
According to the hacker that breached Zuckerberg’s account, Mark’s password was “dadada,” again, across multiple platforms. Oops. The most commonly used passwords were “123456,” “password” and “12345.”
The State of Social Media Security
Not to keep picking on Mr. Zuckerberg, but if one of the inventors of the whole wide world of social networking has his own challenges securing his own social media accounts, who else might too? Who at your organization is at risk? You social media manager? Your head of IT Security? Your CFO? Your CEO?
Cybercriminals have increasingly turned to social media for the same reasons your marketing team has: ease of use, low cost, scale and accessibility. The cybercriminal has the added advantage that the platforms are unregulated and invisible to security teams.
Humans are the weakest element in your security posture, and now all of your people are voluntarily exposed on these unmanaged by IT social networks, all without visibility or controls from the security teams. According to Intel McAfee, your employees already experience more cybercrime on social media than any other business platform, including email and file sharing.
The question for every organization is how exposed are you? After hundreds of millions of leaked social media credentials, most organizations are forced to answer, “I don’t know.” Until they recognize that social media is the new superhighway for cybercrimes, every modern organization is a potential victim for these types of threats.
Although there is nothing you in IT can do about social network accounts getting compromised, there are ways to protect your business and employee social media accounts regardless. The most obvious, and we’ve said it a hundred times before, is multi-factor authentication. This should be standard security practice for everyone online today. Apparently Mark Zuckerberg and the NFL’s social media team didn’t get the memo. Multi-factor authentication forces anyone logging into an account to supply a code sent to an external device or use other 3rd party software. So to carry out the Mark Zuckerberg hack, you would need not only his credentials but his physical mobile device or 3rd party software as well.
The second piece of advice is to avoid password reuse at all cost. We know it can be difficult nowadays, when everyone has several dozen logins, to generate and remember unique, robust passwords. We suggest a password manager, which can automatically generate and store passwords, such as the popular Dashlane and LastPass products.
Most of all, we recommend taking social media security seriously. These account hijackings are likely only the tip of the iceberg. With so many stolen credentials circulating in the hackersphere, expect more accounts to get compromised. Learn to protect yourself and, more importantly, your business. Although these account takeovers were relatively harmless vandalism and trolling, imagine if a cybercriminal blasted your [enter number of followers] followers with a fake coupon (“2016/7 NFL season tickets half-off for the next 30 minutes! #nfl #discount #football”) appended with the latest and greatest malware. Imagine the cataclysmic fallout of a cybercrime at the scale and speed of social media. Mark Zuckerberg, the NFL and everyone else involved should be thankful it wasn’t worse — much much worse.
To find out more about how to protect your organization from the dynamic risks on social media, check out the whitepaper, The Social Takeover: The Top Five Social Media Threats. For information on how ZeroFox is automating the detection and remediation of social threats, visit zerofox.com/platform.