Lessons to learn as McAfee's LinkedIn page is hijacked

Whoops.

Lessons to learn as McAfee's LinkedIn page hijacked

It was a four-day holiday weekend here in the UK, so I took a break from my normal monitoring of what was going on in the world of online security... but a tweet from industry veteran John McAfee caught my eye, having a poke at the company he sold 25 years ago (but continues to tease for using his name):

John McAfee was wrong to say that it was the McAfee website that had been hacked - the actual victim was the company's LinkedIn presence followed by over 135,000 people.

Nonetheless, for any corporate brand to have its social media account hijacked by mischief makers is embarrassing. And it to happen to a major computer security company through such insecure behaviour is downright humiliating.

We just have to be grateful the the account hijackers were content to merely spread electronic graffiti, rather than use the opportunity to spew out phishing links or direct unsuspecting followers to visit malware-infected webpages.

As CSO Online's Steve Ragan describes in some detail, it appears that the attack happened because one of the admins of McAfee's LinkedIn page committed two cardinal sins:

  • Reusing passwords across different online accounts.
  • Not enabling two-factor authentication.

To its credit, LinkedIn doesn't require companies to share the same usernames and passwords for their company pages amongst different administrators. Instead you can assign page admin rights to different LinkedIn users who login with their own personal credentials.

Of course, you would then want to feel sure that each admin has used a strong, unique password for their LinkedIn account, and has enabled LinkedIn's two-step verification feature (2SV).

Linkedin 8

I don't know if McAfee asked all of its page admins to take those steps or not, but it appears that one of their admins let the side down - and carelessly put the company's brand reputation at stake.

Although it's easy to have a giggle at McAfee's misfortune, now would be a good time for all companies to consider if they have educated their staff about how to protect online accounts more safely - and enable two-step verification or two-factor authentication where available. Not just on LinkedIn, but also on the many other online services where hackers might be attempting to hijack brands.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , ,

One Response

  1. Stephen

    April 22, 2017 at 1:20 pm #

    John McAfee wouldn't know where to start trying to hack LinkedIn. He employed people to write the software with his name on it, and hasn't done much lately other than getting in trouble with the law.

Leave a Reply