Dancing with the Stars pro Witney Carson announced on Twitter that her Facebook account had been hacked. Unknown miscreants gained control of Carson’s Facebook through a unique phishing technique and proceeded to upload spamming material to not only her page, but resharing items to other celebrity pages.
Now, there are two questions that immediately come to mind:
- Who is Witney Carson?
- How was their Facebook account hacked?
Unfortunately, I don’t know the answer to either of these questions. Prior to reading about the story in Pop Culture, I had personally never heard of Witney Carson. But that doesn’t matter, because it goes to show that you don’t have to be a global superstar with millions of followers to be an attractive target.
Even accounts with a few hundred thousand followers (or even fewer depending on the industry) can be juicy targets for attackers looking to leverage the victim’s brand to spread malware or spam.
So, the question becomes, how did Carson’s account get hacked?
There are a number of possibilities:
- It could be that Carson used an easily guessable password.
- Maybe Carson re-used a password which was previously breached.
- An agent / assistant had access to the Facebook account and the breach occurred there somehow.
- Carson played a ‘Facebook game’ or allowed access via a third party which scraped her details.
There could be many other ways, but what is clear is that by taking a few relatively simple steps such as practicing good password hygiene and enabling 2FA could have prevented the account takeover.
It’s important that organisations protect their own social media accounts as well as ensuring its staff know how to best protect their accounts. New school security awareness training can help educate your users on how to secure an account, otherwise, accounts can be take over by criminals – and while it may not feel like a big deal, the impact of a compromised account can have far-reaching repercussions that affect the whole organisation.