简体中文
There are several lessons to be learned from a data breach in which hackers gained access toMark Zuckerberg’s social media accounts, but chief among them is probably this: Quit using the same password for multiple websites.
It may be annoying and time-consuming, but following this simple rule can help you avoid the public pwning, or account takeover, that befell Mr. Zuckerberg, the billionaire owner ofFacebookand Instagram.
A collective that calls itself OurMine boasted that it had broken into a handful of his social media accounts, includingLinkedIn, Twitter and Pinterest. Screengrabs posted byEngadgetshowed the hackers notifying Mr. Zuckerberg of the breach using his own Twitter account. Bold move.
“We are just testing your security,” the tweet read.
In a statement released on Monday, LinkedIn said that it had found and removed a fake profile that had been created of Mr. Zuckerberg.
“We were alerted of this takeover attempt and have taken action to remove the false profile on LinkedIn,” the statement read.
The company declined to address whether the hack was the result of a larger data breach in 2012 that compromised over100 million accounts. LinkedIn has taken steps to invalidate passwords from older accounts, but the breach against Mr. Zuckerberg shows that some accounts, especially those that are old or dormant, remain at risk.
In a statement emailed by a spokesman on Monday, Facebook said that Mr. Zuckerberg’s Facebook and Instagram accounts had not been breached.
“No Facebook systems or accounts were accessed. The affected accounts have been re-secured using best practices,” the statement read.
(Facebook’ssecurity systems are now designedto thwart suspicious logins, but Mr. Zuckerberg’s account has not always been immune to breaches: In 2013, a blogger hacked the executive’s page toexploit what he said was a security flawon the social network.)
OK. Now I’m paying attention. Is my account safe?
You should check to see if your email account has been compromised. The websiteHave I Been Pwned? provides a useful service: Plug in your email address, and the website will reveal if your data has been leaked or manipulated by hackers.
All right, I checked. Now what?
If your account has been compromised, change your password. And we’ll say it again: Using the same password for multiple accounts is a cardinal sin in the security world, so make sure you mix it up, even with accounts you rarely use.
Graham Cluley, an online security expert and consultant, said that using the same passwords was a likely reason for the Zuckerberg hack. (According to thewebsiteThe Hacker News, OurMine tweeted that Mr. Zuckerberg’s password was “dadada,” and was used across multiple accounts. OurMine’s Twitter account has since been suspended.)
“It shows it can happen to anyone — even geeks,” Mr. Cluley said. “The problem is that even if you have adopted sensible password practices now, your past mistakes may come back to haunt you.”
Is there anything else I can do?
Mr. Cluley suggested obtaininga password manager, like LastPass, to keep track of your login information. He also said that wherever possible, you should enroll intwo-step verification, which sends an authorization code to the user’s phone before the account can be opened. Most social platforms vulnerable to hacking, including LinkedIn, Twitter and Gmail offer it.
Troy Hunt, an online security expert and the creator of Have I Been Pwned?, reiterated that a password manager was the most reliable way to stay safe.
“Without this, we risk exposing sensitive data in a way that it can put other accounts at risk, particularly via a data breach of one site, which is becoming an alarmingly common occurrence,” he said.
In a statement to its users on Monday, LinkedInechoedthe suggested tactics: “All members should take care to manage and change passwords across other sites, avoid reuse, leverage advanced security features, and update often.”
(THE NEW YORK TIMES)
