An astonishing 155 million internet users have experienced some form of hacking because of using weak passwords. This accounts for 30% of an estimated 5.19 billion active internet users in the world.
Here’s another fun stat: cybercrime is set to cost the global economy $10.3 trillion by 2025. As businesses amp their digital capabilities, ensuring the safety of digital assets has become a top priority for companies across the board. Yet, as technology continues to progress, so do the methods of hackers, resulting in an ongoing cat-and-mouse game between businesses and cybercriminals.
Remote work and an increasing reliance on cloud technology have left organisations particularly vulnerable to cyber attacks. The threat of data breach is universal and sector-agnostic with the potential to cause serious financial and reputational damage.
For World Password Day, given the inexorable way social media has infiltrated our daily lives, here’s a look at the five top data breaches across social media platforms over the last decade :
- Heist 1: Twitter CEO account hacked
- Heist 2: LinkedIn Data Breach
- Heist 3: Bitcoin scam on Twitter
- Heist 4: Facebook data breach
- Heist 5: Celebgate
Heist 1: Twitter CEO account hacked
In August 2019, Twitter users around the world woke up to a barrage of racist and anti-Semitic tweets allegedly posted by Twitter’s founding member and then-CEO Jack Dorsey. The account which had over four million followers posted a slew of offensive tweets within a span of 15 minutes. Soon after, Twitter released a statement claiming that the breach wasn’t caused by a system failure on their part, mentioning an unnamed mobile provider instead.
‘The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorised person to compose and send tweets via text message from the phone number. That issue is now resolved.’
The Twitter hack was a classic example of a SIM swap – a method commonly used by hackers. Once hackers have access to a phone number, they can call the user’s mobile phone provider impersonating them and request to transfer the phone number to a different SIM card. After gaining control over the number, they can send and receive messages pretending to be the original user.
A group referring to itself as the Chuckling Squad claimed responsibility for the Twitter breach. By obtaining the CEO’s phone number, they had the ability to post tweets directly to Mr. Dorsey’s Twitter account using text messaging.
Whilst Twitter distanced itself from any responsibility for the breach, it was nonetheless an embarrassing incident for the company given the number of high-profile users it has.
Heist 2: LinkedIn Data Breach
Approximately 92% of LinkedIn’s total base of 756 million users was impacted when data associated with 700 million LinkedIn accounts was posted for sale on a dark web forum in June 2021.
The hackers who identified themselves as ‘God User’ bragged about their intention to sell 700 million LinkedIn profiles on a popular hacking forum and initially published a ‘sample’ two million user records to confirm the veracity of their threat. The data released included:
- User’s full names
- Genders
- Phone numbers
- Email addresses
- Geolocation data
- LinkedIn username and profile
- Workplace information
- Other social media accounts and details
The hackers allegedly used LinkedIn’s API to ‘scrape’ user data.
Heist 3: Bitcoin scam on Twitter
The microblogging site was in the middle of yet another controversy in 2020 when multiple A-list celebrities had their accounts hacked. From political big shots like Joe Biden and Barack Obama to billionaire entrepreneurs Elon Musk, Jeff Bezos and Bill Gates and even musician Kanye West became targets of an alleged Bitcoin scam.
Tweets were posted from the official accounts of these celebrities inviting people to send Bitcoin and receive double the amount. A tweet from Bill Gates’ account said, ‘Everyone is asking me to give back. You send $1,000, I send you back $2,000.’
Twitter responded that this was a ‘co-ordinated’ attack targeting its employees who had ‘access to internal systems and tools’. Over a series of tweets, the company said that the hackers used this access to ‘take control of many highly-visible (including verified) accounts and Tweet on their behalf’.
In an emergency response, Twitter limited access to many of its features including restricting users from tweeting their Bitcoin wallet addresses. The company also stopped many verified accounts (identified by the signature blue ticks) from tweeting altogether and denied their password reset requests.
Heist 4: Facebook data breach
Over 533 million Facebook users had their personal data released on a hacking forum in a massive data breach that spanned across 106 countries. The hack was a result of two third-party Facebook app sets initially breached in 2019. The datasets contained users’ account info including comments, likes, reactions, account names, FB IDs and more.
The issue made headlines again in 2021 when the data was released on the dark web for free, further compromising user privacy. Facebook had responded that this was a common case of data scraping from publicly available information on the platform without admitting to any wrongdoing on their part. Naturally, this led to major backlash from the public and media alike.
In a statement made to the BBC, Facebook had said, ‘We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it.’
Heist 5: Celebgate
One of the most widely publicised cyber scandals of the last decade was the theft and release of hundreds of intimate photos of female celebrities in what has come to be known as Celebgate. The images were initially leaked on 4chan, a popular message board website, and then indiscriminately shared on social media sites like Reddit, Imgur, Tumblr, and others.
In 2014, a 36-year old man from Pennsylvania used a password cracking software to gain illegal access to the iCloud passwords of the targeted celebrities. He stole photos, videos and in some cases entire iPhone backups affecting at least 72 Gmail accounts and 50 iCloud accounts. However, Apple later claimed that the breach was the result of a phishing attack and denied any allegations of a security flaw in iCloud.
The hacker is believed to have used a technique known as Spear Phishing to gain access to the sensitive data. Spear phishing targets specific users impersonating accounts that they might already know. The hackers then request personal information like usernames and passwords, hoping that the victim might provide the details if they trust the source.
Victims of Celebgate included popular A-listers like Jennifer Lawrence, Kirsten Dunst, Avril Lavigne, Kate Upton and Ariana Grande. Among them Lawrence, Dunst and Upton confirmed the leaks were genuine.
How do such high-profile celebs manage to get hacked?
Did you know that 83% of Americans use weak passwords? And that includes celebrities who either don’t secure their accounts with strong passwords or make the mistake of using the password across multiple platforms. Case in point – Facebook CEO Mark Zuckerberg whose LinkedIn and Pinterest accounts were hacked by a group called OurMine Team who found that he was using the same password was multiple accounts.
What are the tips to creating a strong password?
Patrick Wake, Group Director of Information Security, FDM shares his top tips to secure your accounts and the Dos and Don’ts of choosing a strong password:
How can you create a secure password?
We agree with Microsoft and NCSC that the following are best practice. Choose a password that is:
- At least 8 characters long but 12 – 14 or more is better.
- Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
- Significantly different from your previous passwords.
- A combination of uppercase letters, lowercase letters, numbers, and symbols.
- Easy for you to remember but difficult for others to guess. Consider using a memorable phrase like “6MonkeysRLooking^”.
What are the worst possible things you can do when setting up your password?
- Sharing a password with someone else
- Writing it down somewhere not secure
How often should people change their passwords?
There are mixed views on this. The NCSC and Cyber Essentials scheme both recommend a password change only when a compromise is known or suspected.
Can you give an example of a sophisticated password attack you have seen or heard of?
In general, cracking passwords isn’t that sophisticated. It is either conducted by brute forcing or using a dictionary attack of known hashes or passwords. Something more sophisticated would-be Session Hijacking. This is where an attacker can steal your session tokens by using malicious code or programs running on your machine, bypassing passwords and MFA to access online systems.
This is why having a layered defence model is important. It is equally important to keep your devices up to date, as well as having a good antivirus.
If people were to create a ‘Password Pledge’ to themselves what should be on it/what practices should they complete?
Have a different password for each account that you use and use multi-factor authentication when available.
To sum up
The threat of a data theft and having sensitive information compromised by illegal players is not restricted to large businesses alone. Anyone can become a victim of a data heist and have their personal credentials stolen. Despite taking numerous precautionary measures, hackers continually find ways to launch more advanced cyber-attacks. The explosion of social media has only made the threat of data breaches stronger.
By adopting effective security measures and social media policies, as well as educating employees on the dangers of data theft, companies can minimize the risks and potential financial and reputational harm. On the other hand, everyone can benefit from following best practices for choosing strong passwords and implementing MFA where possible. The right security protocols and training programs can go a long way in preventing cyber attacks and ensuring the safety of sensitive data.
Read our related posts: