Facebook founder Mark Zuckerberg has proven to be the highest-profile victim of the recent LinkedIn data breach, as his Twitter and Pinterest accounts were hacked and defaced on Sunday.
Saudi Arabian hacker group OurMine has claimed responsibility for the defacements, and said that it used Zuckerberg’s login details included in the 2012 hack of 65 million LinkedIn accounts – and that the most powerful individual in the global tech scene re-used the very low-security password ‘dadada’ for both accounts.
OurMine tweeted the details of the hack before its Twitter account (Wayback Machine) was suspended. ‘Hey @finkd we got access to your Twitter & Instagram & Pinterest, we are just testing your security, please dm us’
Facebook has denied additional claims that Zuckerberg’s Instagram account was also compromised during the attacks, with a spokesperson for the social network stating “No Facebook systems or accounts were accessed… The affected accounts have been re-secured.”
The full extent of the LinkedIn breach was not apparent when the data was stolen in 2012, with LinkedIn later admitting that 100 million additional user/pass combos had been compromised. In the middle of last month a hacker calling themselves ‘peace’ offered up a total of 167 million login pairs for sale at 5 bitcoins (approx. $2,200)at Dark Web marketplace ‘The Real Deal’ – apparently this is the transaction that has led to the Zuckerberg breach.
Since the passwords were encrypted without salting (a randomising process which obscures the encryption algorithm and makes decryption far more problematic), the entire database proved crackable in a mere three days.
In February of 2015 LinkedIn agreed to pay $1.25 million to settle a class-action lawsuit from members who had been affected by the 2012 data hack – though at $50 a claimant, no-one stood to be much enriched out of the settlement.
Zuckerberg’s Twitter account has been inactive since prior to the LinkedIn breach, despite over 400,000 followers, with the last post dated 18th January 2012.
The re-use of such a simple password doubtless led OurMine to try it on several other accounts and systems belonging to the Facebook multi-billionaire – the ultimate peril of creating an easily memorable password without an underlying, personalised system to make it a harder prospect for crackers. However, if cloud-side storage doesn’t salt or provide adequate security in general, no amount of tips or tricks is likely to help much.