We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!
Yesterday, Disneyland Anaheim’s Instagram and Facebook accounts were hacked by a self-proclaimed “super hacker” going by the name David Do, who posted racist and homophobic messages on the accounts.
The attack appears to have been motivated by a negative experience with the brand, with the attacker saying he was “here for revenge on Disney Land”. [sic]and tired of Disney employees “laughing” at him.
While Disneyland was quick to regain control of the account and delete the posts, the event was a public relations nightmare that left millions of visitors and families exposed to hateful and offensive content, especially on Disneyland Anaheim’s Instagram, which has 8.4 million followers.
For other organizations, the Disneyland breach underscores that while platforms like Facebook and Instagram can help reach a wider audience, they also open the door to taking over social media accounts, which an attacker can use. to seriously damage your reputation.
While it’s unclear how the hacker gained access to Disneyland’s social accounts, Aaron Turner, CTO of SaaS Protect at California-based AI cybersecurity provider Vectra, believes that social media companies are to blame for having offered organizations poor authentication mechanisms.
“From an identity and access perspective, I’ve always been disappointed that major social media and internet publishing don’t allow their biggest sponsors to use strong authentication and federated identities to protect their brands,” Turner said.
One of the main problems with social media accounts, and the reason why accounts are vulnerable to account takeover attempts, is that they rely on password authentication, which is susceptible to stealing information. identification.
According to the Verizon 2022 Data Breach Investigations report, last year 50% of breaches were caused by stolen credentials.
“Because Instagram forced Disney to use a low-security authentication mechanism, essentially something that wouldn’t be considered enterprise-grade authentication with proper logging, monitoring, and anomaly detection, it created a opportunity for this online vandalism to take place,” Turner said.
Turner points out that taking over social media accounts is a very simple way for a malicious actor to cause serious reputational damage to an organization. Therefore, organizations should be aware that the use of social media poses reputational risks that need to be managed.
Why are credentials so easy to exploit?
While it’s not fair to speculate how the attacker gained access to Disneyland accounts, it is true that credential theft plays a significant role in many takeover attempts. social media accounts.
In fact, research shows that of the 22% of American adults who have experienced account takeovers, social media accounts accounted for 51% of that total. He also points out that 60% of account takeover victims used the same password as the compromised account on multiple accounts.
It’s something most organizations are also well aware of, with 84% of IT managers saying passwords are a deceptively weak way to secure data.
The reason there are so many credential thefts is because it is low risk and high reward. A hacker can get a victim’s email address and start trying to brute force a weak password, search for leaked credentials online, or target the victim with a phishing campaign to trick them into to enter their login information on a spoofed website.
Since there are over 15 billion leaked credentials available online, cybercriminals don’t even need to have technical expertise to break into an account; they can steal credentials that someone else has leaked online.
Mitigating the takeover of social media accounts is difficult because passwords are inherently vulnerable to theft through phishing scams, attempts at social engineering, and brute force hacks.
At the same time, additional security measures offered by social media platforms, such as multi-factor authentication, are also easily exploitable with threat actors like Lapsus$ and Dark Halo both using techniques to circumvent the mechanism. authentication in the past.
Craig Lurey, CTO and co-founder of zero-trust security company, Keeper Security, recommends organizations deploy a variety of controls to increase the security of their online accounts.
“Password managers can easily protect social media accounts with strong, unique passwords and can also protect the second factor (TOTP code). Social media accounts can also be shared from vault to vault. other securely within a marketing or social media team with role-based access controls and audit trails,” Lurey said.
These measures can help reduce the likelihood of a breach, especially if combined with security awareness training to help educate employees on how to select strong passwords and spot phishing scams. .
However, as long as social media accounts rely on passwords, there will also be a risk of credential theft, until passwordless authentication options, such as those promoted by the FIDO Alliance, are widely adopted.
VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more about membership.
