Hackers rarely invent new tricks. Rather, they just find new ways to use old ones.
When Tom Van de Wiele — F-Secure Principal Security Consultant — was growing up, taking over IRC accounts and channels was the thing. “Now people amuse themselves with social media accounts and bribing,” he told me.
If you have a Facebook, Twitter, Snapchat, Pinterest or Instagram account with a lot of content and/or followers, you are at risk of being hacked and extorted. And even if you don’t have a lot of followers but still place a lot of value in your account, you could become target of a motivated attacker.
So how will you be hacked?
If you don’t have 2FA — two-factor authentication — it’s pretty easy. “The password will be guessed,” Tom said.
“The ‘guessing’ is the result of the criminal going through all email addresses and accounts you own and seeing what passwords you chose in the past. The attacker will then try to bruteforce into the account using a password you used for other services combined with other keywords and mutations you might have chosen.”
Where can criminals find which passwords you’ve used in the past?
“Websites like have Have I Been Pwned? are great to see where your data might have been exposed. But the same lists that website uses are downloadable, and the cracked passwords from those lists are being traded on-line as you read this.”
So what can you do to prevent your social media accounts from being hacked?
Tom’s best practices for social media (and other online service) hygiene
- Use a passphrase instead of a password. Length always wins.
- Use unique passphrases for all online services. Unique means really unique, so not spiderman2017, batman2016, etc. Criminals might be insidious but they are not stupid.
- Use a password manager to store all your passwords with a strong master passphrase.
- If you have to, write down your master passphrase at home somewhere and keep it physically safe somewhere. Remember, most of the password guessing attacks come (1) from the internet and (2) from people who perform drive-by attacks, not targeted attacks. These are not necessarily the people who have regular access to your home. Secure your passphrases accordingly and have a back-up plan.
- Enable two-factor authentication (2FA) using e.g. Google Authenticator or enable SMS two-factor authentication as a back-up, in that order. Unlike SMS, Google Authenticator can be used offline and is not prone to telecom-operator-related attacks.
- Keep an eye on the activity logs of the service in question, if available to you as a user. Look for login attempts or successful logins from other IP addresses and/or countries.
- Be on the lookout for phishing. Phishing can bypass two-factor authentication if done in the right way. Do not click on the links in e-mails sent by the service you subscribed to, but log on to the service yourself and look for the information there.