Not all hacking is motivated by the desire to make money or steal secrets.
Sometimes a hack can be designed just to play a practical joke.
In today’s example, it’s fans of one of the world’s top football clubs, FC Barcelona, who are having their legs pulled.
The OurMine hacking gang have turned their attention from HBO and Sony to break into the soccer club’s social media accounts to announce that former Real Madrid player Angel Di Maria had been signed-up for the team.
FC Barcelona and Real Madrid are bitter rivals, so news that a player is switching allegiances from one side to another is likely to get fans fuming.
Welcome Angel Di Maria to FC Barcelona! #DiMariaFCB
Within a couple of minutes, OurMine admitted its involvement.
And sometime after that, FC Barcelona retook possession of the account and apologised to its 23.1 million followers on Twitter.
Our accounts have been hacked tonight.
We’re working to solve the problem as soon as possible.
Thanks for your patience.— FC Barcelona (@FCBarcelona) August 23, 2017
FC Barcelona may want to look again at its defence, because it is clearly lacking when it comes to protecting its social media accounts.
That means not only training staff in password best practice, and raising awareness about phishing attacks, but also the security benefits of enabling two-step verification or two-factor authentication.
It’s not as if FC Barcelona shouldn’t be aware of these risks. For instance, back in 2014 the Syrian Electronic Army managed to seize control of the football club’s Twitter account.
In my view all Twitter and Facebook users should take advantage of the two-step verification features available on sites like Facebook and Twitter to make it harder for hackers to break in, even if they do manage to work out your password.
However, Twitter and Facebook-specific security features may not have helped in this particular case, as a clue in the hackers’ tweets reveals.
You see the messages were sent via Hootsuite, a third-party social media management app that many organisations use to run their social media presence.
All OurMine had to do was work out FC Barcelona’s Hootsuite password… and that gave them the ability to post messages to FC Barcelona’s Twitter and Facebook accounts.
Fortunately, there’s a way to protect Hootsuite accounts with two-step verification. Once in place, Hootsuite will ask you to enter a six-digit one-time password, alongside your username and password, to successfully log in.
In this case, the unauthorised social media posts may have been more about mischief than malice but that doesn’t mean they should be treated any less seriously. All organisations need to ensure they have tight security in place, before a hacker uses an opportunity like this to send out a malicious tweet designed to spread malware, launch a phishing attack or trick users into visiting dangerous websites.
This is a great perspective on their hacking! I never would've noticed it was posted through Hootsuite. Makes sense!