A group of hijackers known as OurMine, possibly from Saudi Arabia, briefly took over Facebook chairman and CEO Mark Zuckerberg's Twitter and Pinterest accounts yesterday (June 5).
It turns out Zuckerberg was one of the 165 million LinkedIn members whose login credentials were in a recently leaked data dump dating from 2012. He apparently had reused his LinkedIn password — "dadada," according to the group that took over his Twitter account — across multiple accounts, and had never changed them.
Zuckerberg's mistake is one that too many people make. They pick a easy-to-remember password, and use it for more than one account. Fortunately, it's simple to be smarter than Mark Zuckerberg about online passwords.
- Start by creating unique and complex passwords. You may not want to spend that time and effort on creating a password for each and every account, but definitely use it for those that matter: online banking, email, social networks, online retailers and any other service that you trust with sensitive data.
- Next, don't let your web browser store your login information for any website that involves sensitive data. Doing so is fine if there's nothing sensitive to protect in a specific account, but make sure those "so what if they do get hacked" accounts have nothing more on you than a username and an email address.
- Don't let websites retain your credit-card information, either— you don't want that showing up in the next massive data breach. Typing information in every time you need to purchase may be less convenient, but it protects you in the long run.
- Turn on two-factor authentication on every site for which it's available.Twitter, Snapchat, Facebook, Microsoft, Amazon, Dropbox, LinkedIn, Yahoo, Google, Apple and many more offer this feature, which usually requires that you have access to your smartphone in order to log in from a new computer.
- If you want to get really serious, sign up for high-value accounts with unique email addresses as well as unique passwords. You'll have to remember a lot of email addresses, but your exposure during the next data breach will be minimal.
- Consider using a password manager. Most password managers let you log in from PCs, Macs, iPhones and Android phones alike, and many will create long, complex passwords for you. (But understand that keeping all your passwords in one place creates one centralized point of failure that attackers can target.)
Zuckerberg's "dadada" password wasn't stored as plaintext in the leaked LinkedIn database, but instead as a one-way hash created by running the password through a mathematical algorithm. The result is a string of characters that is theoretically impossible to reverse. In this case, "dadada" becomes "0f158e648228a19cab5f23acfd6c36f716a702a9".
The problem is that LinkedIn was lazy. It used the SHA-1 hash algorithm, which by 2012 was well understood to be vulnerable to reversing. Worse, LinkedIn didn't take any extra steps that would have strengthened the security, such as hashing the hash or "salting" the hash with extra characters. (Both are common practice, and LinkedIn began salting its hashes soon after the 2012 data breach.)
This made it easy for OurMine and any other bored ne'er–do–wells to reverse Mark Zuckerberg's password. Just search "reverse SHA-1" and you'll see there are plenty of options out there. Plug "0f158e648228a19cab5f23acfd6c36f716a702a9" into one and you'll get "dadada."