Slashdot Mirror
Hacker Takes Over Oculus CEO's Twitter Account, Announces New CEO (techcrunch.com)
Another day, another high-profile becoming victim of a hack attack. Somebody managed to find a way into Oculus CEO Brendan Iribe's Twitter account late Wednesday. The hacker, who appears to be a user who goes by the alias "lid" on Twitter changed Iribe's bio and cover photo, and made a couple of interesting "announcements" -- including him becoming the new CEO of Facebook-owned virtual reality company. TechCrunch reports:This is just the latest in a string of tech CEO's having their Twitter accounts compromised, this attack does not appear to be from the same hacker group responsible for the hacks on the accounts of Travis Kalanick, Sundar Pichai, Mark Zuckerberg and Dick Costolo. Late Wednesday night, Iribe's Twitter bio temporarily read, "hey its @Lid ... im not testing ya security im just havin a laugh." The hacker told me in a Twitter DM that he accessed the password via last month's MySpace breach, he also said that he also would've managed to access Iribe's email account had he not had two-factor authentication enabled.
can't they be as least as creative as Bart Simpson's bar calls?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
You too can be elite if you copy a password out of a text file.
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Bad karma and lack security: these guys have a unique developer API policy:They own whatever you develop for their platform. (surprised anyone agreed to this..) so I say "it couldn't happened to a nicer guy". Perhaps they were eluding to what should happen later on given they way they treat the developers who for some odd reason create stuff for their platform under ethically questionable terms.
"Imagination is more important than knowledge" - Einstein
Had this been a pro they'd have sold this log-in. It seems feasible that if it were properly managed and timed, a more realistic "Announcement" could have yielded big bucks in stock trading. My wee brain can't wrap itself around someone that is smart enough to hack the account and too stupid to do anything useful with said hack. I'm going to suppose that said hacker isn't really evil. Hell, just letting the guy know privately that you did it and how you did it would probably be fairly profitable. Let's just call him clever but stupidly shortsighted.
When are high-profile people - particularly tech people - going to learn to use any of the multi-factor auth options available to them?
As soon as Twitter allows a person with more than one account to use two-factor authentication on more than one account without multiple cell phone lines.
If you control both a personal account and a business account, you can expect the following error message when adding a second account: "The phone number you gave us is currently used by another Twitter account. Only one account can be used with a mobile phone at a time." (screenshot). Many major 2FA IDPs other than Twitter support TOTP, and some support U2F keys through Google Chrome. Though the Twitter Rules allow a user to manage more than one account with distinct purposes,* a user has to either forgo 2FA for one account or fork over $120 per year for a second cell phone line. Have things changed materially since September 2014 when this article was written?
Furthermore, this article claims that an account can't have more than one number, which makes 2FA impractical for multiple staffers who tweet on a single account. One might consider using a landline shared by staffers in an office, but that doesn't work either. I tried to associate my Twitter account with a landline in May of this year, but it gave an error message that my carrier was unsupported.
If any of this has changed, link me the announcement.
* As opposed to these Twitter accounts, all of which which exist to praise GNU/Linux and bash "M$".