'I was hacked' – feeble excuse or real threat on social media?
Every so often somebody embroiled in a firestorm over a jarring social media post responds with three words – “I was hacked.”
But how easy is it to “hack” a social media account?
Take‚ for example‚ a recent racist and homophobic tweet directed at Somizi‚ which unleashed a furious army of his supporters to hunt down a person who later said her account was compromised.
Australian Federal Police confirmed‚ just weeks ago‚ that the Twitter account of that country’s Health Minister Greg Hunt was not – as he protested earlier – hacked when it “liked” a hard-core porn tweet.
Jabu Mtsweni‚ a cyber expert for the Council for Scientific and Industrial Research‚ said it was fairly easy for social media accounts to be accessed by somebody else.
“Actually the two topics (data leaks) and the easy access to other people’s email address or social media accounts is rather easy‚ and mostly because of poor passwords used by the Internet users‚” Mtsweni said.
He said when one considered the recent Gupta email leaks‚ that could also constitute illegal access to information.
“But also because today one can easily hire a hack on dark markets who can hack other people’s social media or email accounts. There are many incidents of this‚ and including our own current president‚ whose email accounts were hacked‚ but also the Gupta emails‚” he said.
“The other main problem is that social media or email accounts used by the general public are free and controlled by third parties‚ who sometimes do not take security seriously.
“Yahoo‚ as a free email service‚ has been hacked so many times in the past‚ exposing details of users publicly. Moreover‚ general users do not practise safe online behaviour‚ for example avoiding clicking of unknown links or adverts.
“In addition‚ users give their personal information out there for free‚ through various phishing scams. These are the order of the day and general users lack the necessary cyber security awareness to identify these online scams. So‚ in a nutshell‚ it is rather too easy for malicious actors to access one's social medial or email accounts.”
Craig Rosewarne from Wolpack Risk added that the higher one’s public standing‚ the more vulnerable online accounts became.
“It depends if they have just opened a normal account and they haven’t hardened the account by changing the privacy or the security settings. It is fairly easy to access their accounts by guessing their password based on what they put on their social media profile. So that would be a starting point.”
Online users should also be cautious of emails received from social media sites requesting a password change.
“The next step from that would be to send them an email where you fool them to be from LinkedIn or Facebook‚ where you create a false Facebook account and say because of a security breach they need to log in and validate their account. You would then redirect them. It is very easy to spoof an email coming from Facebook‚” Rosewarne said.
“You are then able to log in as them and basically do whatever you want to. We always encourage people to put in two-factor authentication‚ like you have with online banking. That is an extra level of security.
“At the end of the day‚ for the average person it is not easy but if someone just knows the basics it is possible to gain access to their social media accounts. The more high-profile you are‚ as a company or an individual‚ the more likely you are to be targeted.
“You are going to get all types of fans that just want to be closer to you or people that mean harm to you. The threat is so much bigger if you are famous.”
Rosewarne provided three tips for improved online safety:
• Limit what you post online. Think twice before you post. Good people are going to be reading this and bad people are going to be reading this.
• Ensure that only your friends or followers can see your content. You don’t want the whole world to see your photos.
• Use two-factor authentication. Most of the platforms have this option and it does not cost a thing.
Haroon Meer from Thinkst Applied Research said once another person had gained access to an online social media account‚ tracking them down could prove to be difficult.
“If you logged into Bob’s Facebook account and scribbled‚ ‘I hate whales‚’ on his wall‚ you are probably okay by simply using a free proxy server to cover your tracks. If you are making death threats against a president or poking an intelligence agency‚ you are going to need a lot more‚” said Meer.
Not only do celebrity social media accounts fall victim‚ but large companies need to ensure that they safeguarded themselves from online intruders.
“Most of the big banks have had several incidents over the years and several government agencies have been publicly hacked or embarrassed. So far‚ reports that we have seen publicly are a relatively small representation of what happens (since most companies don’t even know when they are hacked) and nobody has been forced to disclose their breaches if they did.”
Arthur Goldstuck from World Wide Worx warned online users that clickbait links could also do harm.
“There are several ways an account can be compromised. The most common is through malware programmes disguised as links to videos or images. Typically you receive a message saying something like‚ ‘You won't believe this video‚’ or‚ ‘See what people are saying about you.’
“The natural instinct is to click on the link‚ but it hides a mini programme that is in fact asking you to click on it to allow access to your account. A second way is for people to use personal information about you that you have revealed publicly‚ such as your children’s or spouse’s name‚ or a nickname‚ to guess your password.
“It’s hit and miss‚ but sooner or later they get into someone’s account that way. Finally‚ they try out the most common passwords in the world‚ like ‘12345678’ and ‘password’‚ with that very commonality meaning they will find accounts using these.”
Goldstuck offered the following tips to protect online passwords.
“Firstly‚ never click on a strange or obscure link. If someone tells you to click on something but won’t tell you what’s behind it‚ be suspicious. Second‚ choose a strong password. The test for a weak password is simple: will someone else be able to guess my password randomly?”