Mark Zuckerberg’s Facebook fan page has been attacked by hackers, who took over his page and posted the following message, pretending to be him: “Let the hacking begin: If Facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price winner Muhammad Yunus described it?
Shortly after the message was published, it was ‘liked’ more than 1,800 times and had attracted nearly 500 comments.
“Facebook users – famous or not – need to take better care of their social networking security,” said Graham Cluley, senior technology consultant at internet security firm Sophos.
“Mark Zuckerberg might be wanting to take a close look at his privacy and security settings after this embarrassing breach. It’s not clear if he was careless with his password, was phished, or sat down in a Starbucks and got sidejacked while using an unencrypted wireless network, but however it happened, it’s left egg on his face just when Facebook wants to reassure users that it takes security and privacy seriously. Maybe Mr Zuckerberg would be wise to get a refresher on computer security best practice.”
Facebook has since removed Zuckerberg’s fan page from the site and have refused to comment on the security breach.
How the hack was perpetrated has raised an interesting question.
Celebrity social networking pages are often managed by a whole team of marketing minions. (When you have millions of Facebook friends or Twitter followers, keeping up with the pace of your online social interactions generally gets beyond the capacity of a single person. What this says about the legitimacy of your “friendships” is left as an exercise for the sociologists.)
In the absence of any sort of two-factor authentication, an account which can be accessed by many different users with many different passwords is at greater risk than an account used by just one person.
Given lots of passwords with sufficient power to deface a page or to steal personally identifiable information (PII), a hacker has many more opportunities to beg, steal, bribe or borrow a password to the crown jewels.
In Australia, there’s already a name for this: the Vodafone Problem.
By giving passwords to all its dealers, and giving them access to pretty much all of the Vodafone Australia customer management system – including PII, call records and customer security codes – the mobile phone giant pretty much guaranteed that the wheels would come off, sooner or later.
A single lost, sold or stolen password, or a single dishonest, aggrieved or even merely ill-advised dealer, was in a position to spoil things for everyone.
Perhaps this sort of “injury to one is an injury to all” effect is what went wrong in this Facebook hack? Perhaps Mark Zuckerberg was careless in choosing or looking after his own password?
Whatever happened in this case, it raises one more tough question- do you still trust Facebook with your online persona?
Why not have your say by voting in the poll? http://nakedsecurity.sophos.com/2011/01/26/facebooks-zuckerberg-in-fan-page-hack/ (Dr Search’s answer was the same as the majority’s. What is your view of Facebook’s security?