Skype's Twitter account compromised by Syrian Electronic Army

Filed Under: Facebook, Featured, Hacked, Microsoft, Phishing, Twitter

It would appear that 2014 is starting off on a sour note for the folks in Microsoft's social media team.

The Syrian Electronic Army (SEA) appears to have compromised Skype's Twitter account. Skype was acquired by Microsoft in 2011.

SkypeHacked500

There is evidence to suggest the attackers were able to gain access to Skype's Facebook and WordPress blogs as well, likely indicating either shared passwords or perhaps compromise of Skype employees' email accounts.

This isn't entirely surprising as the FBI had issued a warning on Christmas Eve to media organizations about a new wave of phishing attacks associated with the infamous SEA.

Skype has more than three million followers on Twitter, which indicates that, had the attackers wanted to send out malicious links or other dangerous content, this could have been a whole lot worse.

What I would like to know is why on earth a company social media profile with over three million followers would not be using two-factor authentication.

Twitter2FA250Earlier this year Twitter rolled out an improved two-factor solution seemingly in response to previous attacks by the SEA.

WordPress offers two-factor authentication and Facebook has supported two-factor authentication for a couple of years now, all in an attempt to prevent this exact type of attack.

Microsoft, would you care to explain why you apparently are not using it?

I believe it is the responsibility of organizations with a large number of followers to do whatever they can to secure their profiles.

I suppose this can be a lesson to the rest of us. Take advantage of the safety net of two-factor authentication whenever possible. While it may be less than perfect, so are you.

, , , , , , , , ,

You might like

8 Responses to Skype's Twitter account compromised by Syrian Electronic Army

  1. Youp · 243 days ago

    For me it only works when alternative delivery methods are offered. Like my bank offers an in the moment choice between a voice (to mobile or land line), a text and an email message with a security code. Since my mobile phone doesn't work most of the time, due to where I live, a 2-factor solution doesn't work for me if the only option available is a text message.

    • I've had similar issues with receiving texts. Most services offer an app (Twitter, Facebook), Google Authenticator (avail on Android, Blackberry, iOS) or SMS. Some will call you if the SMS isn't working (Facebook, Google).

    • JohnJ · 242 days ago

      Off topic: If you have poor cell reception but good broadband Internet where you live, talk to your carrier about getting a microcell/femptocell. It uses your broadband connection to talk to the carrier and provides a local cell tower for your devices.

      They should provide it at no cost but some carriers do charge.

  2. Jan Doggen · 242 days ago

    "What I would like to know is why on earth a company social media profile with over three million followers would not be using two-factor authentication." Because it is a marketing account maintained by several people?

    • Jeremy · 242 days ago

      Because there is nothing stopping them from using an app to authenticate. It can be set up on each mobile.

    • No excuse. Twitter uses an app for 2 factor, WordPress offers Google Authenticator for its VIP customers and Facebook offers app, phone and txt options.

  3. Guest · 242 days ago

    This is long and somewhat off topic, but here goes, anyway:

    To this day, Microsoft does not offer 2 factor authentication (2FA) for its Web-based Hotmail (now called Outlook) email program.

    [Post edited for length]

    Now, then. Sophos, I have two questions for you:

    1. What in addition to 2FA can non-psychopaths use to try to protect themselves against psychopaths?

    2. Which is the safest (read: the least interceptable) way to receive 2FA codes? How easily can hackers intercept 2FA codes when they are sent to cell phones or smart phones? Are they safer when sent to offline cell phones than to online smartphones or is there no appreciable difference? Finally, how easily can hackers intercept 2FA codes when they are sent to landline phones? Your recommendations?

    • Paul Ducklin · 241 days ago

      Errr, you can use 2FA with your Microsoft account. (Redmond calls it "two step verification.")

      http://windows.microsoft.com/en-us/windows/two-step-verification-faq

      In addition to 2FA, you can:

      * Choose a hard-to-guess regular password.
      * Use a different password for each online account.
      * Use a decent anti-virus to increase your resilience to password keylogging.

      The two main ways for two step verification are [1] via SMS (great if you have reliable mobile service and you don't browse on the same device on which you receive the SMSes) [2] a separate authenticator app on a mobile device (can work offline, and great if you don't browse on the same device as you run the authenticator app).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.