How Mark Zuckerberg’s social media accounts got hacked – and how to stop it happening to you

In a cautionary tale to SME owners everywhere, Facebook founder Mark Zuckerberg’s Twitter and Pinterest accounts were hacked earlier this week.

Zuckerberg’s Twitter, @finkd, has not been active since 2012, but a tweet on Monday attributed the hack to hacking team OurMine, and asked Zuckerberg to DM them for his account back.

Twitter was quick to suspend his account and within hours Zuckerberg was back in control, with a similar story occurring on his Pinterest account.

Although the damage was reportedly small, this event is an alert to us all. If the founder of Facebook can have his data compromised, so can you.

The team behind the breach claimed the hack was possible due to the recent LinkedIn data breach, which exposed millions of LinkedIn users’ passwords online. This likely means Zuckerberg was using the same password for all three services and had not changed them since early May.

With data breaches happening more and more often, it further reinforces the need for businesses and individuals to use a diverse range of passwords, and change them often.

SmartCompany spoke to two cyber security experts to find out how you can make your accounts secure, and avoid going down the same road as Zuckerberg.

Eight characters doesn’t cut it 

When it comes to password security, the first offenders are short, simple passwords.

Looking back at a report on the top 25 worst passwords of 2015, you can see the kind of passwords that are culprits.

An obvious combination of numbers, such as “12345678”, is not secure. Neither is “baseball”. And “password” is definitely out of the question. Nearly all passwords on this list fall into the trap of being too short and too simple, and will be the very first things hackers try.

Zuckerberg’s Twitter password was “dadada”, which adheres to almost no recommended password guidelines.

Online security expert Michael McKinnon told SmartCompany passwords should be at minimum 12 characters in length, have uppercase and lowercase letters, and include at least one digit and symbol.

“If you can stick to these rules, you’re virtually uncrackable,” McKinnon says.

“Ideally you want a 50-character string of random numbers and letters, but we’re all human and remembering that would be hard.”

Twelve-character passwords can be difficult to remember, so here is some tips for coming up with a tough password you can remember.

Pick a string of letters you can remember, such as an acrostic of a line from a favourite song. For this example, we’ll be using a line from Jackson Browne’s hit song “Running on Empty”.

So our string is “LOATRrbmw”, but that’s only nine characters. To fix this up, add in a number you can easily remember, like a birth year. We’re left with “LOATR73rbmw”, but that’s still one character short. To finish off, insert a special character somewhere within the string.

Our hypothetical password is “LOATR73rbmw@”, which would take a computer approximately 34 thousand years to crack, according to this handy website.

Change it up

Our password may be secure, but that doesn’t mean you can use it for every site you frequent. Passwords should be diversified in order to reduce what hackers have access to if your account is compromised.

McKinnon recommends having multiple passwords, one for each account.

Keeping track of which password corresponds to each account can be tricky, so McKinnon recommends simple mental arithmetic.

“Say you’re logging in to Facebook, a simple technique would be to replace some of the letters in your original password with ones related to Facebook,” McKinnon says.

With the password devised earlier, you could simply replace the first and the last letters with the first and the last letters of “Facebook”. This creates a totally different string, but one you can relate to the site itself.

McKinnon says having one password for all accounts is a very common occurrence.

“People reuse passwords across many different sites, and the reason is because the language suggests it,” McKinnon says.

“Sites inherently suggest we only have one password every time they ask ‘What’s your password?’ but we need to have multiple.”

Methods to manage your passwords 

Many programs exist that offer to manage your passwords, storing them encrypted within a program that requires a detailed master password to unlock.

David Markus, founder and managing director of IT services company Combo, recommends businesses use these programs as a way to manage their passwords.

“We’re all creatures of habit, and we seek easy solutions to things,” Markus says.

“One of these solutions is a program like KeyPass, which can store all your passwords in one secure location.”

However, not all of these programs are secure themselves, with popular password manager LastPass being hacked during 2015.

Using programs like these can be convenient, but SMEs should be aware of the risks involved with putting all your data in one location.

What am I securing? 

Markus had important advice for anyone looking to up their security, saying “if you have no security on your email, you have no security anywhere”.

This is due to the nature of ‘forgot your password?’ forms, which require you to enter nothing but your email to then change an accounts password.

A hacker compromising your email account could easily compromise any other account associated with it.

McKinnon agrees with this and says “email security is primary, it is the key”.

McKinnon also highlights the importance of email screening, to ensure you are not opening a file that could hold your laptop hostage. 

“Simply don’t open attachments if you’re not expecting them, and if it looks important, do some basic checks,” McKinnon says.

“Check the address, contact the company or individual if you have to. If something looks off, don’t open it.”