Over the weekend, Twitter and Pinterest accounts belonging to Facebook founder Mark Zuckerberg were hacked by a group called the “OurMine Team,” reportedly based in Saudi Arabia.
They were able to pull this off because Zuckerberg did exactly what online security experts have been encouraging people not to do for years: he used the same password for several different social media platforms.
It was a rather lame password, at that: “dadada.”
According to VentureBeat, the hackers got Zuckerberg’s password a few weeks ago, when the LinkedIn password database was stolen by other hackers. Either OurMine Team is associated with these hackers, or they obtained a copy of the leaked data, and realized one of the entries in the database belonged to Zuckerberg.
The hackers then set about breaking into various social media accounts with the password they had stolen, including an evidently unsuccessful attempt to crack his Instagram account. (VentureBeat threw in a little jab at Google+ by saying it appeared to be safe, either “because he used a different account and password there,” or because “nobody has bothered to check it yet.”)
The hackers were able to make the “dadada” password work with Twitter and Pinterest, although control of the accounts was soon retaken by administrators. They notified Zuckerberg of the attack using his own Twitter account, after creating a fake LinkedIn account for him. “We are just testing your security,” the pirated Tweet read.
The lax security practices on display are even more unfortunate in light of LinkedIn’s claim that the password database in question was actually stolen in 2012. That would mean Zuckerberg not only used the same low-security password for multiple accounts, but he hasn’t bothered to change it for four years.
“This is the best reminder yet that if you have a LinkedIn account, you should go ahead and change your password there, and everywhere else. In fact, you should make it a habit to regularly change your passwords on all your online accounts. And if that is too much of a pain, at the very least, make a habit of using different passwords,” VentureBeat advises.
A similar note was sounded by the New York Times, which said the lesson of the Zuckerberg hack is, “Quit using the same password for multiple websites.”
“It shows it can happen to anyone – even geeks,” online security expert Graham Cluley told the Times. “The problem is that even if you have adopted sensible password practices now, your past mistakes may come back to haunt you.”
LinkedIn has invalidated all the user credentials involved in its data breach, and has been advising potentially compromised users to change their passwords on all other services.
Twitter suspended the account of OurMine Team, but they had a secondary account ready – through which a member of the team complained, “I don’t understand why Twitter suspended our account while we are saving people from other hackers!”