Security Bytes

Jul 6 2011   1:37PM GMT

Poor password management leads to Twitter hacks



Posted by: Robert Westervelt
Tags:
Password management
Twitter security

FoxNews.com and PayPal UK Twitter accounts get hijacked by anonymous groups.

Hackers took control of two prominent Twitter accounts recently, posting false messages to followers of the accounts of FoxNews.com and PayPal UK.

An anonymous hacking group claimed responsibility for the attack on the Fox account. The group posted six false messages on the FoxNews.com account, giving followers a phony news item that U.S. President Barack Obama had been shot dead. The move reportedly prompted an investigation by the Secret Service.

News Corp, acknowledged that the account had been hijacked and removed the false messages. A Fox News spokeswoman said Twitter suspended the account once the account hijacking was detected.

Like many news organizations, accounts to Twitter, Facebook and other social networks are often shared between editors. Security experts said the attacks highlight the need for better password management. Twitter told Reuters that it monitors its systems to detect brute-force log-in attempts, but compromises due to “off-site behavior” can still take place.

PayPal U.K had its account hijacked late Tuesday. The account has about 17,000 followers. The messages appeared to come from an angry customer who sent out a message: “PAYPAL FROZE ALL MY MONEY FOR NO REASON…” PayPal reportedly confirmed that its account was hijacked. The messages were deleted by the company.

The group involved in the Fox Twitter hijacking is from the so-called “anti-sec” hactivist movement.

Chester Wisniewski of security firm Sophos said the password problem stems from organizations giving access to the account to multiple employees. The passwords are typically easy to guess and are often stored on the computers used by the employee and in some cases are frequently emailed.

“Most social networks were designed for use by individuals and don’t offer enterprise-grade security options with granular permission controls. If the password is shared with enough people, someone will misplace it or use something “everyone can remember.”

Attackers also take advantage of password reuse, Wisniewski said. People often use the same password for multiple accounts. Once one account has been compromised, an attacker can attempt to gain access to other online accounts. If the attacker can also obtain the victim’s email address, they can also attempt to reset the password, he said.

A number of password management tools exist to help users follow better password practices.  We wrote about the password management tools in February after attackers stole account credentials from users of a popular torrent site for movies to gain access to their Twitter account for spamming.

Poor password use at Twitter

Twitter expects its users to better protect their account credentials, but the company has also been the victim of poor password practices. Twitter has had to deal with a myriad of security issues ever since its service grew in popularity. In 2010 the social networking giant settled Federal Trade Commission charges that it deceived consumers and put their privacy at risk.

The charges stem from incidents that took place between January and May 2009, when hackers gained administrative control of Twitter and were able to view nonpublic user information, gain access to direct messages and protected tweets and reset any user’s password and send authorized tweets from any user account. Those security lapses were the result of employees storing admin passwords.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: