The European Bank for Reconstruction and Development (EBRD) is not having the best of mornings, as itself admitted.
Good morning
Not such a great morning, in fact
We have been hacked but now hope that the situation is under control
Earlier today the bank’s @EBRD Twitter account, and that of its sister account @EBRDgreen, were hijacked by a hacker who began to post the kind of messages you don’t normally expect to see from an international financial institution.
And it seemed the hacker was actually courting the media’s attention by, for instance, tagging BBC home affairs correspondent Daniel Sandford in one message.
Of course, it’s sadly not unusual for Twitter accounts to be breached, but what makes this case somewhat unusual is the very public cat-and-mouse struggle that the EBRD seemed to be having with its hackers.
At one point some may have found it hard to tell which were the genuine tweets made by the EBRD and which had been made by its hacker, as one tweet from @EBRD asked for the account to be locked to stop the hacker and another claimed that it was the hacker who had posted the lockdown request. Only the hacker’s poor spelling and grammar gave the game away.
Embarrassingly for the bank, the messages from the hacker continued to be posted even after @EBRD had posted an apology on its account.
At the time of writing, it appears that the EBRD has regained control of its account and repelled its unwanted intruder.
It may, however, wish to take a careful look at its security – ensuring that passwords are not being reused, enabling two-factor authentication where possible, looking carefully at the security of third-party apps it may have connected to its account, and educating the staff about the dangers of phishing attacks.
From the childish appearance of this attack the hack appears to have been more the work of a mischief-maker rather than someone who was setting out to cause more malicious mayhem, but once a cybercriminal has wrestled control of your Twitter account from you it’s all too easy for it to be used to spread disinformation, scams, and malicious links to followers.