A host of Facebook accounts belonging to US baseball teams were hacked yesterday, and defaced with messages in dubious taste, including one which claimed that New York Yankees captain Derek Jeter was undergoing a sex change.
"We regret to inform our fans that Derek Jeter will miss the rest of the season with sexual reassignment surgery. He promises to come back stronger than ever in 2013 as Minnie Mantlez"
Other clubs affected included the Miami Marlins, San Diego Padres, Chicago White Sox, Washington Nationals, Chicago Cubs and San Francisco Giants.
Here is a selection of the messages that were posted:
Clearly an unauthorised party had managed to gain admin access to the Facebook pages in order to post the messages – and the first thought is that it would be a very strange coincidence to have the Facebook pages of so many clubs compromised at the same time.
However, it turns out that the clubs run the Facebook pages in conjunction with MLB Advanced Media.
One possible scenario is that an MLB Advanced Media employee was sloppy with their password (maybe they weren’t using a hard-to-guess password, or maybe they were using a password that they had also been using elsewhere on the net), allowing a hacker to gain access and post the inappropriate content.
A spokesperson for the baseball league told the Wall Street Journal that they were working with Facebook and law enforcement to see if they could identify what had happened, and who might have been responsible:
"For a brief moment today, a few MLB Club Facebook accounts were hacked and inappropriate material was briefly on display from those Clubs' pages on Facebook. MLB Advanced Media oversees these Facebook pages on behalf of the Clubs and regrets this occurrence. We are working with Facebook, Major League Baseball Security and, where appropriate, legal authorities to determine the circumstances surrounding this situation."
I guess everyone should be grateful that the hacker didn’t exploit their access to the baseball clubs’ Facebook pages by posting something more malicious – such as links to malware-infected pages – that could have impacted thousands of sports fans.
This isn’t, of course, the first time that Facebook fan pages have been hacked and unauthorised posts made. There have been a wide variety of victims in the past, ranging from Viagra manufacturer Pfizer, Nicolas Sarkozy, and last year the rapper Soulja Boy who blamed a hacker for a series of racist and homophobic rants.
Perhaps the most embarrassing incident of this nature was when Facebook’s own CEO, Mark Zuckerberg, had his official fan page hacked via an API bug.
Make sure that you keep informed about the latest security and privacy issues on Facebook. Join the Sophos page on Facebook, where over 190,000 people regularly share information on threats and discuss the latest security news.
Baseball player image from Shutterstock.