Sometimes hacks can be more about mischief than malice

FC Barcelona has its Twitter and Facebook accounts hijacked by the OurMine gang.

Sometimes hacks can be more about mischief than malice

Not all hacking is motivated by the desire to make money or steal secrets.

Sometimes a hack can be designed just to play a practical joke.

In today’s example, it’s fans of one of the world’s top football clubs, FC Barcelona, who are having their legs pulled.

Sign up to our free newsletter.
Security news, advice, and tips.

The OurMine hacking gang have turned their attention from HBO and Sony to break into the soccer club’s social media accounts to announce that former Real Madrid player Angel Di Maria had been signed-up for the team.

FC Barcelona and Real Madrid are bitter rivals, so news that a player is switching allegiances from one side to another is likely to get fans fuming.

Tweet 1

Welcome Angel Di Maria to FC Barcelona! #DiMariaFCB

Within a couple of minutes, OurMine admitted its involvement.

Tweet 2

And sometime after that, FC Barcelona retook possession of the account and apologised to its 23.1 million followers on Twitter.

FC Barcelona may want to look again at its defence, because it is clearly lacking when it comes to protecting its social media accounts.

That means not only training staff in password best practice, and raising awareness about phishing attacks, but also the security benefits of enabling two-step verification or two-factor authentication.

It’s not as if FC Barcelona shouldn’t be aware of these risks. For instance, back in 2014 the Syrian Electronic Army managed to seize control of the football club’s Twitter account.

Fcbarcelona 2014
The Syrian Electronic Army’s 2014 hack of FC Barcelona’s Twitter account

In my view all Twitter and Facebook users should take advantage of the two-step verification features available on sites like Facebook and Twitter to make it harder for hackers to break in, even if they do manage to work out your password.

However, Twitter and Facebook-specific security features may not have helped in this particular case, as a clue in the hackers’ tweets reveals.

Tweet hootsuite

You see the messages were sent via Hootsuite, a third-party social media management app that many organisations use to run their social media presence.

All OurMine had to do was work out FC Barcelona’s Hootsuite password… and that gave them the ability to post messages to FC Barcelona’s Twitter and Facebook accounts.

Fortunately, there’s a way to protect Hootsuite accounts with two-step verification. Once in place, Hootsuite will ask you to enter a six-digit one-time password, alongside your username and password, to successfully log in.

Hootsuite 3

In this case, the unauthorised social media posts may have been more about mischief than malice but that doesn’t mean they should be treated any less seriously. All organisations need to ensure they have tight security in place, before a hacker uses an opportunity like this to send out a malicious tweet designed to spread malware, launch a phishing attack or trick users into visiting dangerous websites.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Sometimes hacks can be more about mischief than malice”

  1. Kami

    This is a great perspective on their hacking! I never would've noticed it was posted through Hootsuite. Makes sense!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.