Hackers Break Into Ringo Starr's Twitter Account With Simple Password Reset

blottsie writes: Ringo Starr's account was compromised by a hacker operating under the username "af," who spoke to the Daily Dot about the breach. The hacker says he gained access to an email account associated with Doug Brasch, senior director of digital marketing at Universal Music Group, who managed Starr's Twitter account. He simply used an email password reset to gain access.

Email got hacked

so the real hack was the email account not twitter?

Re:Email got hacked

[LinuxIsGarbage]

so the real hack was the email account not twitter?

Exactly. If it was a "simple Password reset" it would have been:
Security question: What's your favorite band?
Answer: The Beatles.

Re:Email got hacked

[arth1]

I hate websites forcing Security Questions down my throat for this reason.

Worst are those who require you to answer their questions, and not your own.

What was your mother's maiden name?
I never knew who my mother were, you insensitive clod! And if I did know, I bet that a quick search of any genealogy site would tell an intruder too.

What city were you born in?
I wasn't born in a city, you insensitive clod! And isn't town of birth public data?

What was the name of your 6th grade teacher?
People seriously remember this into their 70s?

I wonder how many of the secret answers are "FUCK YOU!", because they're either questions that everybody knows, or you don't even know yourself.

Re: Email got hacked

[invictusvoyd]

Record your answer somewhere safe.

Like a piece of paper stuck beneath the keyboard.

Re:Email got hacked

[arobatino]

Use a strong random string as the answer, regardless of what the question is, and store it in a password manager (next to the question). Then the question doesn't matter, it's only used for lookup.

What is your mother's maiden name? JbdsxnzvB31M4uW0AxVsh2gIcFHhgN
What is your favorite color? ESWKiF0J8IyZj7aZQzCjsAhGcyn4QC

Re:Email got hacked

[brantondaveperson]

But the whole point of the 'security questions', is that you've lost your password. If you're using a password manager to store your passwords already, then there's no point using it to store your answers, because then you'd have your actual password, and wouldn't need the 'security questions'.

You might as well type in random text, and not even bother to remember it, if you're going to use a password manager to store it. I hate the things too.

Re:Email got hacked

[arobatino]

You might as well type in random text, and not even bother to remember it, if you're going to use a password manager to store it.

You have to store the answers to the "security questions", because sometimes websites will require you to know them, even if you have your password. It's happened to me more than once.

Of course, they shouldn't actually be called "security questions" (since the purpose is not to enhance security, but to actually weaken it so customer service doesn't have to deal with people who forgot their password) but obviously they can't admit to that. And since they need to pretend it's about security, they also need to make it mandatory, even though it's pointless for people who use PMs and do backups regularly. We just grit our teeth and store the "security questions" in the PM, along with the passwords.

Re:Email got hacked

[GateGuy]

I had a credit card hacked once. The person used it to pay for a lot of crap on iTunes. When I called Apple support, the said that the credit card was attached to a different account. So when the support person wanted to validate who I was, she asked me for the answers to my secret questions. I had scrambled answers like you describe. I also always use the maximum number of characters that the field (or rule) will allow. About 50 characters into it, she said she knew it was me.

Re:Email got hacked

[omnichad]

It was an iCloud email address, but in this case, Apple's security questions were such that the answers could be found via Facebook.

Re:Email got hacked

[sudon't]

But the whole point of the 'security questions', is that you've lost your password. If you're using a password manager to store your passwords already, then there's no point using it to store your answers, because then you'd have your actual password, and wouldn't need the 'security questions'.

Right. All this extra "security" bullshit we have to put up with is because of the idiots who don't use password managers, (and password generators). It's the dumbing-down of security. I don't see how these people will ever learn if they're always having their hands held. Let them lose control of a few accounts. Then, maybe, they'll get with the program.

Re:Email got hacked

[brantondaveperson]

You have to store the answers to the "security questions", because sometimes websites will require you to know them, even if you have your password. It's happened to me more than once.

Well. That's pretty stupid. In that case I guess you're stuck, and your random answers are a pretty good idea. I don't know that most password managers actually support 'security questions' without creating a whole new entry for each one - the one I use (keepass) certainly doesn't. It's time that we used a hardware security dongle - you know, like we do with doors - to allow people into their accounts.

Re:Email got hacked

[arobatino]

Some password managers allow you to store description (arbitrary text) alongside the passwords.

That's what I do. MyPasswordSafe allows storing comment text with each entry, so I put the "security question"/answer pairs in there.

Re:Email got hacked

[MoarSauce123]

The problem are these prefab password reset questions and the logical answers people give. When asked for birth date put something in that is clearly NOT your birthday. Asked for favorite band enter your least favorite food. Although I bet there is a band called "capers".

31337

[JesseEnjaian]

When did the word "hacker" become synonymous with "being a douchebag with computers?" I missed this cultural shift somewhere.

Re:31337

[malditaenvidia]

Around the late 90's, if I recall correctly.

Re:31337

[JesseEnjaian]

Around the late 90's, if I recall correctly.

you mean IIRC

Re:31337

As far as I'm aware it's always meant that.

It's just that until the 90's the only people with anything important accessible by computer were big businesses and the government so the douchebags could pretend to be Robin Hood class d-bags instead of The Joker class d-bags.

I thought a "hacker" built stuff and a "cracker" broke stuff. "Breaking into an account" would then fall under "cracking," not hacking. AFAIK, "hacking" is when you use some paperclips, a few resistors, and a perl script to turn your motherboard into a radio. THAT is hacking.

Did you circumvent encryption? Crack.
Did you come up with a no-cd game patch? Crack.

Did you figure out how to send digital files UUencode-style via SMS using a rooted iPhone? Hack.
Did you make your line printer play Christmas songs? Hack.
Did you get a MUD (multi-user domain) running on some old cable box? Hack.

To hack is to get a webserver running on some old graphing calculator, not hassling old Ringo. :(

Re:31337

[DerekLyons]

Long before that, try early/mid 80's.

Re:31337

[JustOK]

Exactly. We should write out Lucifer Our Lord instead of lol. Oh, crap. I used an acronym.

Re:31337

[BoberFett]

I can't confirm when it started, but it reached a peak when people started swiping their friend's unlocked smartphones and posting douchey photo to the owner's Facebook page, along with the text "You've been hacked LOL!"

It's handled by a marketing droid

[93+Escort+Wagon]

I wonder how many celebrities don't even have access to (ostensibly) their own social media accounts?

Also, who cares about Ringo Starr in 2016?

Re:It's handled by a marketing droid

[Lunix+Nutcase]

Probably quite a lot of them. You don't actually think celebrities are making all those posts to Facebook and Twitter themselves, right?

Re:It's handled by a marketing droid

[ShaunC]

I dunno. If Kanye isn't making his own Tweets, he ought to fire whoever he has doing it for him.

Re:It's handled by a marketing droid

[judoguy]

Also, who cares about Ringo Starr in 2016?

Rory and the Hurricanes is as sweet a pop song as anyone puts out today.

Re:It's handled by a marketing droid

[CanEHdian]

Well at least we know Kevin Hart is doing his own tweets!

E-mail is the universal key

[shawn2772]

I occasionally run into people who don't believe they need to be very careful with their e-mail security, because "it's only e-mail, it's not like my bank account or anything". But given that virtually every other online account you create uses e-mail to manage password reset, it is your bank account. And everything else.

Use a good password on your e-mail account, and enable two-factor authentication. If your e-mail provider doesn't offer 2FA, or offers a form of it that's too inconvenient to use, get a better e-mail provider. #emailmatters

Re:E-mail is the universal key

#emailmatters

#hashtagsareretarded

Re:E-mail is the universal key

[Blaskowicz]

If you want a better e-mail provider you'll have to pay for it. If you ever get unable to pay (say, unemployment, homeless, prison, war, disease etc.) you're then at a risk of losing it all.
As for 2FA there's no way I'm giving my phone number to $email_provider :). And I have never thought yet about what happens if I lose a phone number tied to a password!

We need some way to be secure without recurring bills. e.g. using Firefox instead of IE was free at least.

Re:E-mail is the universal key

[Gojira+Shipi-Taro]

As for 2FA there's no way I'm giving my phone number to $email_provider

Well texts are far from being the ONLY way to get 2FA but beyond that, perhaps you're too paranoid to be on the internet?

Re:E-mail is the universal key

[shawn2772]

If you want a better e-mail provider you'll have to pay for it.

Gmail is free, and has excellent security. Better than any paid service I've seen, actually.

As for 2FA there's no way I'm giving my phone number to $email_provider

So, don't use phone-based 2FA. Continuing with Gmail as an example, you can get 2FA via security key (a little USB stick), smartphone app, printed codes (pieces of paper you carry in your wallet), SMS or voice phone. Only the last two involve your phone number. Though I have to wonder... just what do you think $email_provider is going to do with your phone number anyway? And if you don't want them to have it, you'd better be sure you never e-mail it to anyone. Or include it in your sig.

And I have never thought yet about what happens if I lose a phone number tied to a password!

The typical smartphone is actually the worst possible case, because it's unlocked and has browsing history, e-mail, and very likely your 2FA as well. It may even contain passwords, stored by the browser or by a password keeper.

You really, really need to secure your phone with a good password, and configure it to lock aggressively.

(Full disclosure: I work for Google, but not on Gmail. I work on Android security, and I worry a lot about how valuable phones are becoming, and how insecurely most of them are configured.)

Re:E-mail is the universal key

[N1AK]

Was going to respond with most of the points made in this post, but will now just emphasise that 2FA exists in a number of formats that don't require you to give a mobile phone number. Personally I use Google Authenticator (an app on my phone), backed up by mobile phone SMS (optional), further backed up by a print out of 10 one use codes (I've used two, and keep half in my wallet and half at home).

Re:E-mail is the universal key

[houghi]

As I have my own domain (and others here might have as well) I use a simple way of using email.
1) A spam account at gmx.com for rubbish. Many would use Google, I like GMX better, because it isn't google.
2) A fristname.lastname@example.com that is only used when I am looking for a job. If I don't, all mails will be dropped.
3) An email address for friends that will be filtered for spam
4) An email address for every website that is important to me. e.g. shlashdot.org@example.com or bigbank.com@example.com.

The last one will not only give me a way to tell if it is really my bank or not, so less possible falling for fake mails. It is also possible to see who sell their email addresses and I will drop the mailbox. Till now after several years the only company that has done this is Ebay.

All email addresses are just aliases.

Filtering into folders is done per type (e.g. mailing lists, commercial, financial, ...) by procmail

It has helped me determine if something is a fake mail from BigBank that was my bank and was done very well. As it was in the wrong folder, I knew it wasn't send by my bank and thus deleted.

I even make one that is travel@example.com for travels for that year. That way I do not need to use a different one for various hotels and restaurants I want to do reservations at or rental companies, while all stays together.

What people who do not have access to their own domain and/or unlimited aliases could still use different email addresses.
e.g. banking.name@example.net , stores.name@example.net , webistes.name@example.net.

Most places will allow 5 aliases and that should be enough to differenctiate. It will also prevent using an address like LittleHornyBitch69@example.org when you start looking for a job.

Re:E-mail is the universal key

[omnichad]

#emailmatters

#hashtagsareretarded

#itsapoundsignanditisretardedtoo

#icallitanoctothorpeyouinsensitiveclod

Re:E-mail is the universal key

[Mirar]

I use the same scheme, although I'm harder with _everything_ gets their own email address.

Small companies that look at things manually usually get confused when I fill in the email address "smallcompany.com@example.com". One even canceled an order because they didn't believe the email address. (Apologies and rebate though when I told them that yes, that's the correct one.)

I also sort every @example.com in a separate mailbox. If anyone have a good tip of a good imap server/mail reader combo that can handle about a thousand incoming mailboxes I'd like to know, so I can stop using gnus and mbox.

PGP Reset Emails

[mx+b]

I've wondered why services don't allow you to do something like add a PGP public key, and all notifications from that site are sent encrypted to that key. If someone gets ahold of your reset email, well unless they have your private key and passphase, they're still out of luck. Furthermore, legit email notices could be signed by a known public key of the site.

OK, it was a bit rhetorical perhaps, as I know not many are familiar with PGP to use it. Outlook doesn't support it out of the box so that cuts out a lot of users right there. And even people technical enough to know what its doing don't always like it.

And I guess the problem then would be people saying "I forgot my PGP passphase, please help!". So maybe it wouldn't actually solve much and still be prone to social engineering. But still. In 2016 I would have thought we'd have a better handle on privacy and security.

Re:PGP Reset Emails

[Lunix+Nutcase]

simple solution - expire passwords at random time intervals

Which is itself a stupid policy and has been proven time and time again to only lead users to choosing weaker passwords, writing their passwords down, etc. so they can remember them.

Re:PGP Reset Emails

[Lunix+Nutcase]

Don't allow them to set weak passwords. If you allow your users to set weak passwords, expect them to set weak passwords.

Users will set the weakest password you will let them get away with. You can try to set all sorts of arcane rules and yet users will still find ways to make weak passwords.

As far as writing it down goes, you're never going to stop that. I've come across users that wrote down even the simplest of passwords; forcing harder passwords is not going to change that.

Forcing them to constantly change their password is going to KEEP them doing it.

Your argument is worthless as long as we're talking about passwords. Once there is a working replacement for passwords, your argument has merit.

It's only "worthless" if you don't actually really care about opsec. Enjoy your users' accounts being easy to break in to.

Re:Who the fuck cares

[whipslash]

move along then

Re:Who the fuck cares

[whipslash]

No

This is what you get when...

[sudden.zero]

...Slashdot is moderated by douches that work for a company that knows nothing about Slashdot's culture! God I wish someone would by Slashdot from Dice.

Re:This is what you get when...

[rudy_wayne]

lol

Good one.

It's a business solution, not a technological one

[Etherwalk]

I've wondered why services don't allow you to do something like add a PGP public key, and all notifications from that site are sent encrypted to that key. If someone gets ahold of your reset email, well unless they have your private key and passphase, they're still out of luck. Furthermore, legit email notices could be signed by a known public key of the site.

OK, it was a bit rhetorical perhaps, as I know not many are familiar with PGP to use it. Outlook doesn't support it out of the box so that cuts out a lot of users right there. And even people technical enough to know what its doing don't always like it.

And I guess the problem then would be people saying "I forgot my PGP passphase, please help!". So maybe it wouldn't actually solve much and still be prone to social engineering. But still. In 2016 I would have thought we'd have a better handle on privacy and security.

Because that doesn't make sense from a business standpoint.

2-factor authentication to your phone works for most consumers. For higher-value accounts of celebrities, etc..., people should be able to pay to have password resets confirmed by fedex or by phone call to their IT department/agent/secretary.

Was his password....

[unixisc]

.....Ob-la-di-ob-la-da?

Re:Who the fuck cares

[whipslash]

Oh we're listening. Just not to the AC posting "who the fuck cares" when the majority of comments here are actual good discussion. No one's stopping you from spewing venom from your pulpit of anonymity though so keep on keepin on

Curious

[ajarin]

Wah... How could it be happen?

Re:Who the fuck cares

[whipslash]

Beatles are Z-List celebrities. Noted. And I was just saying bluntly you should move along if you're not interested. The majority of commenters here are.

Re:Who the fuck cares

[whipslash]

Good talk. See ya out there

Re:So much for the new management

[whipslash]

We hardly knew ye

Peace and Love, Peace and love!

[Lumpy]

it's not like a celebrity has any different security than normal people.

But it's still funny.

Re:Peace and Love, Peace and love!

[Lunix+Nutcase]

Ringo isn't even involved. As stated, this was someone breaking into the email of the guy who runs Ringo's Twitter account.

Where's the IT angle?

[tetraverse]

“The questions asked were his birthday and name of his nephew, both easy to find with Facebook. I was surprised when I entered the answers and it actually succeeded first try.”

Re:So much for the new management

[whipslash]

No I've been logged in all day. To declare your hopes dashed because of a story, or a few stories, that you don't think fit the ethos of the site is a little premature. We are working on it. It's only been a few weeks. Give us time.

Re:So much for the new management

[whipslash]

That's not what I'm saying. I am just saying if someone voices their opinion with the subject line "who the fuck cares", I'm going to put less weight on that than someone who voices it thoughtfully. The OP in this thread was more thoughtful than some other commenters.

Re:So much for the new management

[whipslash]

My intention is for it to equate to, as I've said multiple times, "we hear you and we are working on it.. Bear with us while we improve." I read criticism all day long, be it founded or unfounded. We hear you. We are working on improving. Rest assured I read every single comment. I just think energy might be better served with a productive discussion on the story, or discussing another story you actually like. Your gripes about editorial are well noted at this point and I am working with editors.

Re:So much for the new management

[whipslash]

Submit them into the firehose and let them get voted up. The firehose is where you can give your vote on which story we should pick. We will also be incorporating stories that will auto post to the front page from the firehose when they reach a critical mass of popularity, including requirements such as a certain amount of votes from high karma users, users with old accounts, and other filters like an enhanced dupe checker. You have a low user ID and high karma so your votes will matter greatly. To answer your question of how many weeks we need, I am not sure. However if you think you're going to engender haste to enact your wishes, calling people on our staff worthless losers probably isn't your best bet.

Hackers and crackers

[XXongo]

I thought a "hacker" built stuff and a "cracker" broke stuff.

There has been an attempt to get that usage adopted, but it's failed.

Basically, the definition of "cracker" as "A poor and usually bigotted white person living in the south" is so well accepted in America that it hasn't been possible to graft a new definition on.

see: ubran dictionary or NPR

Re:So much for the new management

[DNS-and-BIND]

Sorry, I react poorly to people to whom I perceive have flipped me the bird verbally.

In the past, the firehose has been roundly ignored when it votes up inconvenient stories like the Albright "burn in hell" story. Thus, me and a lot of other people stopped using it a long time ago. Try renaming it to something other than 'firehose' and tell us that it'll auto-post no matter how damaging the topic matter is to the Democrats.

Re:So much for the new management

[whipslash]

We're not going to rename it but I'm telling you right now it will auto post anything that meets the vote requirements, no matter the topic. It will be live in the next week or two.

Re:So much for the new management

[whipslash]

We're working on improving editorial as well as everything else. Sorry if I came off as abrasive but I read enough criticism in a day to last me a life time.

Re:So much for the new management

[whipslash]

Would also like everyone's opinion here regarding videos on Slashdot: https://slashdot.org/poll/2973...

Re:So much for the new management

[DNS-and-BIND]

Well! I'll believe it when I see the first anti-SJW story or the first pro-Trump story. If you really believe in the users, that will show it. I get the feeling that the story will be shitcanned shortly after appearing though, either by your order or by some higher up Dice.com manager. Dice is pretty hard left and you don't see inconvenient truths unless they support their side of the story.

Re:So much for the new management

[Gojira+Shipi-Taro]

And I react poorly to people that think that they alone represent the filter through which "News for Nerds" should pass. There's so many of you grognard assholes. Get the fuck over it. The new ownership does seem to care. They just don't have to specifically care about YOU.

Re:So much for the new management

[Gojira+Shipi-Taro]

There's not going to be a pro-Trump story because that prick has no one's interests at heart than his own. If you're looking for "Fox News" style "fair and balanced" you can fuck right off to your fascist hacienda and die.

By your imaginary "news for nerds" filter, how would a pro-Trump story even be a thing here? You're a bit of a prat.

Re:So much for the new management

[whipslash]

We won't can the story based on its political leaning. Also you do realize Dice is no longer the owner of Slashdot right?

Re:So much for the new management

[Gojira+Shipi-Taro]

As well you should. I see so much noise from so-called "old timers" who think they're the end-all be-all of defining what /. should be. Like not reading an article that you can see from the title isn't to your taste is a fucking burden.

I can tell that you guys are trying. It's one reason I'm back after several years of not bothering to check this place at all.

As long as you guys can keep the shitposts down, I think we're good.

Re:So much for the new management

[whipslash]

Thanks for the support!

Re:So much for the new management

[DNS-and-BIND]

Oh, right. LOL. Have to learn the customs of the new boss. That's a demerit!

Re:So much for the new management

[Gojira+Shipi-Taro]

No you just have to learn the customs of a sane community. Raging at "the man" without a point of reference is seldom productive.

Re:So much for the new management

[DNS-and-BIND]

Imaginary news for nerds filter? WTF? It is the founding statement of the website. It's why we're all here. By nerds, for nerds. I am seriously having a problem comprehending how you don't know this.

If you have a problem tolerating people who think differently from yourself, you fit all the criteria in this article. Here is a particularly damaging excerpt that describes you to a T:

Another characteristic of the new upper class - and something new under the American sun - is their easy acceptance of being members of an upper class and their condescension toward ordinary Americans. Try using "redneck" in a conversation with your highly educated friends and see if it triggers any of the nervousness that accompanies other ethnic slurs. Refer to âoeflyover countryâ and consider the implications when no one asks, âoeWhat does that mean?â Or I can send you to chat with a friend in Washington, D.C., who bought a weekend place in West Virginia. He will tell you about the contempt for his new neighbors that he has encountered in the elite precincts of the nationâ(TM)s capital.
For its part, mainstream America is fully aware of this condescension and contempt and is understandably irritated by it.

It may come to the realization that America isn't the country for you and the people here are not what you want to be around. You would be far more comfortable in a country that shares your left-wing views. I would suggest Bolivia, Venezuela, or Cuba, but you may go where you like. Bon Voyage!

Motive

[BlueBiker]

Uh-oh, hope Pete Best has an alibi :-/

useful?

[Mirar]

Can I use this "hack" to get my old, bot-stolen (because I obviously didn't care back then), twitter account back?