Mark Zuckerberg’s Twitter and Pinterest Accounts Hacked
Facebook Inc.’s first “security tip” for users is, “Don’t use your Facebook password anywhere else online.”
If only Chief Executive Mark Zuckerberg had heeded that advice.
Mr. Zuckerberg’s Twitter Inc. and Pinterest Inc. accounts were taken over in recent days because he reused a password: “dadada,” according to a person familiar with the matter. The password had appeared last month in a database of more than 100 million usernames and passwords stolen in 2012 from LinkedIn Corp., the person said. Mr. Zuckerberg appears to have reused “dadada” to log into Twitter and Pinterest, allowing hackers to take over those accounts.
The age-old advice to not re-use passwords is particularly timely at the moment. Beyond the LinkedIn theft, there were also recent leaks of 360 million email addresses and passwords belonging to users of MySpace.com. Since May, the website Leakedsource.com, which sells access to the stolen information, has added close to one billion records to its database, a LeakedSource representative said Monday.
The passwords may be several years old, but they can still be useful to hackers, who then use them to try to break into other accounts, hoping that they will stumble on users, like Mr. Zuckerberg, who reuse their passwords.
“You have hundreds of millions of keys and you can try them on any major collection of locks you can find,” said Alex Holden, the chief information security officer with Hold Security LLC, a company that investigates data breaches.
The publicity around the hack of Mr. Zuckerberg’s accounts may prompt other attackers to take advantage of the stolen data in the same way, said Liam O’Murchu, director of Symantec Corp.’s security response team.
For Mr. Zuckerberg, the consequences of his account takeovers weren’t severe. The hacker who took over his Twitter account posted his highly insecure “dadada” password to the site. That was embarrassing, but Mr. Zuckerberg is hardly a power Twitter user: He has tweeted only 19 times, most recently in 2012.
For a time on Sunday, Mr. Zuckerberg’s Pinterest page said “Hacked by OurMine Team.” The group said it was “just testing” Mr. Zuckerberg’s security.
Others have been less fortunate. More than 100 users of TeamViewer GmbH, a German software company whose software gives users remote access to computer desktops, have had accounts taken over since the LinkedIn data was made public. The company believes the activity is linked to the recent rash of data disclosures.
Hundreds of TeamViewer users have taken to Reddit in recent days to discuss the account takeovers, with many saying that criminals had then used TeamViewer to take control of their computers and authorize transactions through Amazon.com Inc. or PayPal Holdings Inc.
“These cases of account abuse do not hinge on a TeamViewer vulnerability,” a TeamViewer spokesman said Monday. “They are the result of account and particularly password mismanagement.”
Researcher Gartner Inc. says more than two-thirds of consumers reuse their passwords. But Mr. Holden of Hold Security believes the LinkedIn breach may present a particularly alluring opportunity for criminals, because users are likely to reuse their LinkedIn passwords in their professional lives. That could expose users’ business data or allow hackers to take over accounts at job or travel sites.
“I would be worried about this being available to a great many people,” Mr. Holden said. “It looks like some of this data is already available publicly to many malicious individuals.”
“A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter,” a Twitter spokesperson said.
Pinterest echoed that advice. “We recommend everyone use a strong and unique password that isn’t used on other sites,” a spokeswoman said. – WallStreetJournal
