As The Telegraph reports, the password was found amongst the 117 million LinkedIn account credentials from 2012 recently released online. The six character phrase enabled hackers to gain access to Zuckerberg’s Twitter and Pinterest accounts on Sunday night.
Zuckerberg’s Facebook account was not affected by the compromise. Presumably, he secures his account on his own service with something more secure than “dadada,” a password so simple it has baffled security experts who expected something a little more secure from the Facebook CEO. The password could have been hacked using brute force techniques in under 25 seconds. It is barely more secure than “abcdef.”
The hackers, called OurMine Team, sent a tweet from Zuckerberg’s account revealing they found his password in the LinkedIn dump and stating it was “dadada.” Zuckerberg’s Pinterest page received a new title, “Hacked by OurMine Team,” and an additional tweet, later deleted, claimed the hackers successfully infiltrated Zuckerberg’s Instagram account too.
Zuckerberg has since reclaimed control of his Pinterest account and his Twitter profile has been suspended. Prior to the attack, it had been dormant since 2012. Zuckerberg has evidently abstained from posting on the rival social network.
Zuckerberg’s case has been held up by the security industry as an example of the weaknesses of the current username and password model. Despite all the warnings against it, the Facebook founder appears to have used the same hopelessly insecure password across at least three different services.
“Reports that Facebook founder Mark Zuckerberg’s social media accounts have been hacked should concern us all,” said Richard Parris, chief executive at digital identity firm Intercede to The Register. “If Mr Social Media’s accounts can be compromised, with all of the knowledge and resources he and his team have available, we should all be taking notice. In fact, we should all be very angry – the vast majority of the recently reported account compromises appear to relate to leaked usernames and passwords.”
To ensure your passwords are secure, you should include a mixture of uppercase and lowercase characters, symbols and numbers. Passwords should be at least eight characters long but ideally ten or more. A unique password should be assigned to each service you use, protecting you from issues like Zuckerberg has faced.
If your password is included in a data breach, the hackers could use it to access all your online services if you use the same phrase for every account. This is an easy way for attackers to gain access to your digital identity, exploiting password reuse to progressively takeover multiple services.
Security experts called on people, including Zuckerberg, to enable two-factor authentication where possible. This requires you to enter a separate PIN code sent to your phone or email address when logging in from a new device for the first time. In Zuckerberg’s example, this could have stopped hackers accessing his accounts as he’d have received security alerts on his phone that he could have denied.
The LinkedIn password breach is believed to be one of the biggest such leaks ever, although it is dwarfed by another major leak mere weeks later. Security researcher Troy Hunt recently confirmed a data dump of 360 million Myspace accounts is in existence, the largest breach currently known. Hunt has speculated we are facing a wave of “mega-breaches” as four such databases have been released on the dark web in the past four months.
