February 21, 2013
Twitter Suggests Poor Password Choices to Blame
Burger King’s official Twitter feed was hit Feb. 18 by an unidentified group of hackers with the monikers “OpMadCow” and “OpWhopper.” The same hackers compromised the official Twitter account for Chrysler division Jeep the following day. The hackers issued this tweet: “The official Twitter handle for Jeep — Just Empty Every Pocket, Sold To Cadillac … In a hood near you!”
Are the hacks Twitter’s fault? Is its security tight enough? — are just two of many similar questions being asked as a result of the high profile hacks.
Twitter director of information security Bob Lord addressed the talk with a blog post this week that also issued “a friendly reminder about password security.”
“Over the past couple of days, there’s been a fair amount of conversation about account security on Twitter,” he said. “We thought we’d take advantage of this moment to remind you of best practices around passwords — both on Twitter and on the Internet generally.”
Lord, in his Feb. 19 blog post, offered four tips to Twitter users to improve account security. Here is an excerpt from the blog:
• Use a strong password. Your password should be at least 10 characters that include upper and lower case characters, numbers, and symbols. You should always use a unique password for each website you use; that way, if one account gets compromised, the rest are safe.
• Watch out for suspicious links, and always make sure you’re on Twitter.com before you enter your login information. Be cautious when clicking on links in Direct Messages. Whenever you are prompted to enter your Twitter password, just take a quick look at the URL and make sure you’re actually on Twitter.com. Phishing websites will often look just like Twitter’s login page, but will actually be for destinations other than Twitter. If ever in doubt, just go directly to twitter.com in your browser.
• Don’t give your username and password out to unknown third parties, especially those promising to get you followers or make you money. When you give your username and password to someone else, they get complete control of your account and can lock you out of your account or take actions that cause your account to be suspended. Be wary of any application that promises to make you money or get you followers. If it sounds too good to be true, it probably is!
• Make sure your computer and operating system is up to date with the most recent patches, upgrades, and anti-virus software. Keep your browser and operating system updated with the most current versions and patches; patches are often released to address particular security threats.
The blog did not, however, address Twitter’s security practices or if it is able to protect the accounts of prominent brands.
The hacking of Burger King’s and Jeep’s Twitter accounts is not the first time Twitter security has been questioned. Twitter announced 250,000 of its 250 million members were hacked during the last week of January. It has since come to light that the social networking site was compromised by the Java zero-day exploit malware that also recently infected computers at Facebook and Apple.
The social network is planning to launch two-factor authentication in a bid to strengthen log-on security.
Jeep’s header, which included the message, “The official Twitter handle for Jeep — Just Empty Every Pocket, Sold To Cadillac … In a hood near you,” also featured Cadillac’s logo.
Hackers posted a number of tasteless tweets on Jeep’s feed — such as “You’ll never catch 50cent ridin in a Dirty Ass Jeep!!!” — before the company regained control of its account 80 minutes after the first bogus tweet.
Jeep proclaimed it was in control again with this tweet: “Hacking: Definitely not a #Jeep thing. We’re back in the driver’s seat!”
Hackers hit Burger King by changing every item on its Twitter page: logo, header and photo, to reflect that of arch rival McDonald’s. The background picture of Burger King’s account featured a picture of Fish McBites accompanied by McDonald’s logo.
The hacker also posted a number of tweets:
“We just got sold to McDonalds! Look for McDonalds in a hood near you,” one post read, adding the sale occurred “because the whopper flopped.”
Yet other tweets made derogatory remarks about the restaurant chain’s employees.
Burger King pulled the plug on its account about an hour after the hack occurred, but not before 53 tweets were sent by the hackers with a total of 73,421 retweets.
Burger King took its account back online with the following tweet: “Interesting day here at Burger King, but we’re back! Welcome to all our new followers. Hope you all stick around!”
Although it is not yet known who is responsible for the hacks, some believe infamous hacker group Anonymous and its affiliate LulzSec are to blame. Both groups have denied any involvement.
If Gizmodo is right, the groups may be telling the truth. The technology website claims a Rhode Island DJ is responsible.
“SMS transcripts obtained by Gizmodo (removed by request of sender) pointed us to the Facebook wall in question, which in turn pointed to Tony Cunha’s incriminating Facebook account URL (facebook.com/ithug), further corroborated by a handful of Facebook event pages for parties Cunha has has DJed in the Boston and Providence, RI areas under the iThug name—a pastime of his after the MySpace hacking market dried up,” the website reads.