It was a four-day holiday weekend here in the UK, so I took a break from my normal monitoring of what was going on in the world of online security... but a tweet from industry veteran John McAfee caught my eye, having a poke at the company he sold 25 years ago (but continues to tease for using his name):
Someone hacked the Intel/McAfee website. Was not me. pic.twitter.com/gOoqPGV9BD
— John McAfee (@officialmcafee) April 17, 2017
John McAfee was wrong to say that it was the McAfee website that had been hacked - the actual victim was the company's LinkedIn presence followed by over 135,000 people.
Nonetheless, for any corporate brand to have its social media account hijacked by mischief makers is embarrassing. And it to happen to a major computer security company through such insecure behaviour is downright humiliating.
We just have to be grateful the the account hijackers were content to merely spread electronic graffiti, rather than use the opportunity to spew out phishing links or direct unsuspecting followers to visit malware-infected webpages.
As CSO Online's Steve Ragan describes in some detail, it appears that the attack happened because one of the admins of McAfee's LinkedIn page committed two cardinal sins:
- Reusing passwords across different online accounts.
- Not enabling two-factor authentication.
To its credit, LinkedIn doesn't require companies to share the same usernames and passwords for their company pages amongst different administrators. Instead you can assign page admin rights to different LinkedIn users who login with their own personal credentials.
Of course, you would then want to feel sure that each admin has used a strong, unique password for their LinkedIn account, and has enabled LinkedIn's two-step verification feature (2SV).
I don't know if McAfee asked all of its page admins to take those steps or not, but it appears that one of their admins let the side down - and carelessly put the company's brand reputation at stake.
Although it's easy to have a giggle at McAfee's misfortune, now would be a good time for all companies to consider if they have educated their staff about how to protect online accounts more safely - and enable two-step verification or two-factor authentication where available. Not just on LinkedIn, but also on the many other online services where hackers might be attempting to hijack brands.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)