OurMine Hacking Group Targets the NFL by Hijacking Multiple Facebook, Instagram, and Twitter Accounts
Having your personal social media account taken over is not fun. If someone manages to break into it, they will not only get access to some deeply private data, but they'll also get a platform from which they can impersonate you and attack all your friends, relatives, co-workers, and people you've met online. While you probably have several hundred followers on your social network accounts, however, celebrities, sports clubs, and entertainment companies are followed by millions. You'd be forgiven for thinking that the people in charge of such accounts have taken every necessary precaution to ensure that any unauthorized access attempts are stopped well in advance. Unfortunately, the existence of a hacking group known as OurMine suggests that this is not the case.
OurMine is back
After a rather long hiatus, OurMine came back with a bang at the end of last week, when they compromised quite a few social media accounts in one quick swoop. The targets were the National Football League and about half of the teams that play in it. First, the hackers hit Chicago Bears' Twitter profile and, after using the platform to spread some fake news about a new team owner, they revealed that they had taken over the account. They then moved on to quite a few other American football teams.
According to the BBC, Kansas City Chiefs, Green Bay Packers, Dallas Cowboys, Denver Broncos, Indianapolis Colts, Houston Texans, New York Giants, Philadelphia Eagles, Tampa Bay Buccaneers, Los Angeles Chargers, San Francisco 49ers, Cleveland Browns, and Arizona Cardinals all had their Twitter accounts hacked. The microblogging platform account of the NFL itself wasn't spared, either, and some teams were also locked out of their Facebook and Instagram profiles.
OurMine's members removed the profile pictures, bios, and headers on some of the accounts, and they also sent a message. The hackers used the compromised accounts not only to announce that they're back but also to show everybody that "everything is hackable." Those of you familiar with this crew's previous attacks have heard this before.
Harmless fun or a serious threat
The OurMine hackers have a rather long legacy of successfully compromising high-profile social network accounts. Among their victims, you'll find global media outlets, streaming platforms, sports teams with enormous follower bases, famous DJs, YouTubers, singers, bloggers, and quite a few CEOs of major Silicon Valley companies, including Jack Dorsey and Mr. Social Media himself, Mark Zuckerberg. The attack from Sunday is not to be sniffed at, either. NFL's Twitter account alone, for example, has over 25 million followers.
The colossal number of people who follow these pages means that over the years, the OurMine hackers have been given numerous opportunities to cause quite a lot of damage. A phishing link posted on behalf of a popular account can attract many users, even in a limited period of time, but the OurMine hackers just don't seem to be interested in that.
Every time they attack an organization or a celebrity, they claim to do it in order to show the victims how poor their security is. When they took over Mark Zuckerberg's Twitter and Pinterest accounts in 2016, they even announced publicly that Facebook's CEO was using "dadada" as the password for some of his accounts. People might argue that by naming and shaming celebrities and large enterprises for their security mistakes, the OurMine hackers are teaching the rest of us a lesson.
We don't necessarily agree with that. As ZDNet pointed out, OurMine uses the notoriety it has gained around the high-profile social media attacks to boost its reputation on the underground markets where it sells stolen information. If the hackers really had good intentions, they would be working in the security industry and would be disclosing the vulnerabilities responsibly.
Nevertheless, we do hope that in the wake of yet another OurMine attack, users start to take notice. Even if you aren't responsible for a popular account with millions of followers, the combination of a strong, unique password and two-factor authentication could save you quite a lot of embarrassment.