Yesterday the social media accounts of at least 16 NFL teams were hijacked by a hacking gang with a history of mischievous attacks.
The hacking group OurMine claimed responsibility for the account hijackings, which saw unauthorised messages posted, and in some cases profile pictures changed or deleted, on Facebook, Twitter, and Instagram.
The NFL teams targeted, which have many millions of social media followers between them, were the Arizona Cardinals, Buffalo Bills, Chicago Bears, Cleveland Browns, Dallas Cowboys, Denver Broncos, Green Bay Packers, Houston Texans, Indianapolis Colts, Kansas City Chiefs, Los Angeles Chargers, Minnesota Vikings, New York Giants, Philadelphia Eagles, San Francisco 49ers, and the Tampa Bay Buccaneers.
In the case of the Chicago Bears Twitter account, a bogus message was posted claiming the club had been sold to a Saudi Royal Court advisor.
Two of the affected teams, the San Francisco 49ers and the Kansas City Chiefs, are playing in this weekend’s upcoming Super Bowl.
In addition the hackers also compromised the official Twitter account of the National Football League itself.
OurMine described its attack, which appears to have been through the compromise of a third party social platform used by the various teams, as a demonstration to “show people that everything is hackable,” and cheekily suggested victims should get in touch to improve their account security.
The OurMine group has been up to similar shenanigans in the past. For instance, they hijacked the Pinterest account of Mark Zuckerberg, and the Twitter accounts of Sony Playstation chief Shuhei Yoshida, HBO, TechCrunch, and FC Barcelona amongst others.
The group has also meddled with the DNS registry entries for WikiLeaks and published 3.12 terabytes of internal files that they had snaffled from VEVO.
But this latest attack against umpteen NFL teams could have been much more serious. It would have been trivial for the attack to have been used to spread a malicious link to the many millions of people who ardently follow their favourite football team on social media, and potentially infected them with malicious code.
Instead, for now, the OurMine group seems to be holding back from doing anything *too* naughty – perhaps realising that if they are ever apprehended the consequences could be severe.
Hopefully the NFL and its teams are looking closely now at how they use third-party tools and services to manage their social media accounts, and ensuring that defences are in place to make it much harder for hackers to seize control.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.