Kevin Bacon has his Twitter hacked – six degrees leads to something phishy

Kevin BaconOnline criminals hijacked the Twitter account of Hollywood actor Kevin Bacon earlier this week, in an attempt to steal the passwords of the star’s hundreds of thousands of followers.

Bacon, who is probably almost as well known for the “Six degrees of Kevin Bacon” trivia game as he is for his prolific movie career, had his Twitter account hacked on Sunday, when it began to post messages designed to entice readers into clicking on a dangerous link to discover more.

Did anyone see this? She is way too young for that [LINK]

Phishing tweets on Kevin Bacon's account

If you did find yourself clicking on the link, whose true destination had been hidden by use of the bit.do (not to be confused with bit.ly) URL shortener, you would find your browser had taken you to what appeared to be a Twitter login page.

Kevin Bacon phishing page

Of course, careful examination of the URL in the browser’s address bar reveals that it’s not a page hosted on Twitter’s own servers.

If you did make the mistake of entering your username and password at this point, you would have handed over your login credentials to online criminals – who could later exploit them to compromise your own account, and perhaps send spam messages or malicious links to your friends and followers.

The good news is that Kevin Bacon appears to have realised that the unauthorised tweets had been sent from his account pretty quickly, and posted a message apologising to fans and saying that he had changed his password.

Kevin Bacon apologises

Kevin Bacon says his new password is EggsN'. Geddit?

Sign up to our free newsletter.
Security news, advice, and tips.

An obvious question is how was Kevin Bacon’s Twitter account hacked. Was he using the same password in multiple places (and perhaps hacked elsewhere)? Or did he himself fall for a phishing attack?

I was interested to see Eduard Kovacs of Softpedia note that despite apologising to his followers for the phishing messages, Kevin Bacon still hasn’t actually removed them from his Twitter page.

Maybe he would be sensible to take a little less time making bad puns, and put a little more effort into cleaning up the dangerous links that the phishers have left lying around. After all, a Twitter hacking is no yolk. [Sorry, I’m so sorry]


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.