PayPal UK's Twitter profile commandeered by angry hacker

Filed Under: Featured, Social networks, Spam, Twitter

Hacker avatar image defacing PayPal UK Twitter accountAt approximately 21:20 GMT a hacker took control of the Twitter account of online payment broker PayPal UK. This is the latest in a string of attacks over the past few weeks, the most recent of which targeted Fox News.

Similar to the attack against Fox News, it appears the PayPal UK team was unaware of the problem. For almost two hours the attackers had control of the profile and have even taken to changing the avatar photo. As of 23:15 GMT the profile had been taken offline.

Hacker avatar image defacing PayPal UK Twitter accountIt appears whoever has hacked the account is having some kind of a dispute with PayPal over a frozen account. One of the tweets that was posted states, "PAYPAL FROZE ALL MY MONEY FOR NO REASON, F*** YOU!"

PayPal UK hacked tweets
PayPal UK hacked tweets

How does such a high profile brand, especially one associated with your banking information, get hacked like this? Usually it occurs one of three ways:

  1. Large organizations often have many people responsible for updating their social networking accounts. Most social networks were designed for use by individuals and don't offer enterprise-grade security options with granular permission controls. If the password is shared with enough people, someone will misplace it or use something "everyone can remember."
  2. The password is either ez2guess or is something used frequently for many different accounts. With the large numbers of usernames and passwords that have been recently disclosed, many people are looking for well-known organizations that may reuse passwords on multiple sites.
  3. Recalling the incidents last month on the Lulz high seas, we saw many people's email accounts hacked, again through password reuse. Once you have a key email account, you can send password resets from Twitter, Facebook or just about any other online service.

Update: A PayPal spokesperson has contacted Naked Security with a statement regarding this attack.

They stated:

"PayPal UK's Twitter feed was targeted by hackers tonight. PayPal would like to reassure all customers that PayPal’s UK customer systems and data have not been breached or hacked in any way. There is no link between customer systems and our Twitter account."

, , ,

You might like

8 Responses to PayPal UK's Twitter profile commandeered by angry hacker

  1. ken · 1208 days ago

    I'm not a big proponent of password managers, but am in the middle of a LastPass review and found it offers a nice password sharing feature.

    One administrator can create a really strong password then every user who needs to login can be given rights in Lastpass. The individual users will never see the real password, they will login using their own lastpass account. It's a nice way to delegate without giving out keys.

    This is a perfect use for such a feature.

    Perhaps Twitter should create it's own delegate feature with an audit trail.

    Healthy Passwords

    • Chester Wisniewski · 1208 days ago

      I agree. I don't like to promote commercial products in general, but I was quite impressed with LastPass and their approach to password management. It does still rely on the users to choose strong passwords for their LastPass vault though, so users can still fall victim to a trivial to guess passphrase.

  2. NZJourneyMan · 1208 days ago

    Twitter may not be PayPal, but I spend a fair amount each year with PayPal and this sort of thing really makes me jumpy.

    If they can't protect their highly visible twitter account properly, are they protecting the rest of their assets adequately?

    I'm generally not prone to panic, but I'm wondering if I should temporarily remove the DD and credit card from my PayPal account as the potential downside is the available cash in my bank account.

    • 5am · 1207 days ago

      i'm pretty sure the twitter jockey wouldn't also be in charge of security...

  3. NZJourneyMan · 1208 days ago

    On another matter, PayPal doesn't have two factor authentication. Every other financial institution I deal with does. I think Naked Security needs to take them to task over this.

    • Chester Wisniewski · 1208 days ago

      I'm not sure if they offer it globally, but they do offer two-factor tokens and SMS two-factor authentication in North America.

    • Fabian · 1196 days ago

      Not so: I have a PayPal token (it's marked Vasco) and when I log in to my account or make any purchases, I have to give my password plus the six-digit PIN that pops up when I press the button on the token. Works really well, I like it.

  4. Anon · 1208 days ago

    This could be a flaw in Twitters system rather then paypals

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.