Lessons to learn as McAfee’s LinkedIn page is hijacked

Whoops.

Lessons to learn as McAfee's LinkedIn page hijacked

It was a four-day holiday weekend here in the UK, so I took a break from my normal monitoring of what was going on in the world of online security… but a tweet from industry veteran John McAfee caught my eye, having a poke at the company he sold 25 years ago (but continues to tease for using his name):

John McAfee was wrong to say that it was the McAfee website that had been hacked – the actual victim was the company’s LinkedIn presence followed by over 135,000 people.

Nonetheless, for any corporate brand to have its social media account hijacked by mischief makers is embarrassing. And it to happen to a major computer security company through such insecure behaviour is downright humiliating.

We just have to be grateful the the account hijackers were content to merely spread electronic graffiti, rather than use the opportunity to spew out phishing links or direct unsuspecting followers to visit malware-infected webpages.

As CSO Online‘s Steve Ragan describes in some detail, it appears that the attack happened because one of the admins of McAfee’s LinkedIn page committed two cardinal sins:

  • Reusing passwords across different online accounts.
  • Not enabling two-factor authentication.

To its credit, LinkedIn doesn’t require companies to share the same usernames and passwords for their company pages amongst different administrators. Instead you can assign page admin rights to different LinkedIn users who login with their own personal credentials.

Of course, you would then want to feel sure that each admin has used a strong, unique password for their LinkedIn account, and has enabled LinkedIn’s two-step verification feature (2SV).

Linkedin 8

I don’t know if McAfee asked all of its page admins to take those steps or not, but it appears that one of their admins let the side down – and carelessly put the company’s brand reputation at stake.

Although it’s easy to have a giggle at McAfee’s misfortune, now would be a good time for all companies to consider if they have educated their staff about how to protect online accounts more safely – and enable two-step verification or two-factor authentication where available. Not just on LinkedIn, but also on the many other online services where hackers might be attempting to hijack brands.

Read more about two-step verification:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Lessons to learn as McAfee’s LinkedIn page is hijacked”

  1. Stephen

    John McAfee wouldn't know where to start trying to hack LinkedIn. He employed people to write the software with his name on it, and hasn't done much lately other than getting in trouble with the law.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.