Keeping Hackers Out of Your Social Media Accounts

F-Secure Life, Security & Privacy, Threats & Hacks, Tips & Tricks

Hackers rarely invent new tricks. Rather, they just find new ways to use old ones.

When Tom Van de Wiele — F-Secure Principal Security Consultant — was growing up, taking over IRC accounts and channels was the thing. “Now people amuse themselves with social media accounts and bribing,” he told me.

If you have a Facebook, Twitter, Snapchat, Pinterest or Instagram account with a lot of content and/or followers, you are at risk of being hacked and extorted. And even if you don’t have a lot of followers but still place a lot of value in your account, you could become target of a motivated attacker.

So how will you be hacked?

If you don’t have 2FA — two-factor authentication — it’s pretty easy. “The password will be guessed,” Tom said.

“The ‘guessing’ is the result of the criminal going through all email addresses and accounts you own and seeing what passwords you chose in the past. The attacker will then try to bruteforce into the account using a password you used for other services combined with other keywords and mutations you might have chosen.”

Where can criminals find which passwords you’ve used in the past?

Websites like have Have I Been Pwned? are great to see where your data might have been exposed. But the same lists that website uses are downloadable, and the cracked passwords from those lists are being traded on-line as you read this.”

So what can you do to prevent your social media accounts from being hacked?

Tom’s best practices for social media (and other online service) hygiene

  • Use a passphrase instead of a password. Length always wins.
  • Use unique passphrases for all online services. Unique means really unique, so not spiderman2017, batman2016, etc. Criminals might be insidious but they are not stupid.
  • Use a password manager to store all your passwords with a strong master passphrase.
  • If you have to, write down your master passphrase at home somewhere and keep it physically safe somewhere. Remember, most of the password guessing attacks come (1) from the internet and (2) from people who perform drive-by attacks, not targeted attacks. These are not necessarily the people who have regular access to your home. Secure your passphrases accordingly and have a back-up plan.
  • Enable two-factor authentication (2FA) using e.g. Google Authenticator or enable SMS two-factor authentication as a back-up, in that order. Unlike SMS, Google Authenticator can be used offline and is not prone to telecom-operator-related attacks.
  • Keep an eye on the activity logs of the service in question, if available to you as a user. Look for login attempts or successful logins from other IP addresses and/or countries.
  • Be on the lookout for phishing. Phishing can bypass two-factor authentication if done in the right way. Do not click on the links in e-mails sent by the service you subscribed to, but log on to the service yourself and look for the information there.

1 Comments

Great information. I need to review some of the information you wrote about that had links to information regarding known weaknesses that could lead to an attack. Great overview of security issues while online.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like