Facebook’s Mark Zuckerberg in fan page hack – on Facebook!

According to TechCrunch – and numerous other online technophile sites – a prominent Facebook fan page has been hacked, defaced and, as a result, closed down.

The victim? Mark Zuckerberg. The defacement? This message, apparently:

Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Prize winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011

Here’s a YouTube video we’ve made about the incident:

(Enjoy this video? You should subscribe to the SophosLabs YouTube channel.)

I know what you’re thinking. How could anyone stoop so low as to diss Time’s Man/Woman of the Year?

Actually, so far, that’s one question no-one – not even Facebook – seems to be able to answer. We don’t know how the hack was perpetrated.
(Update: We now now what really happened.)

Mark Zuckerberg hacked

However, celebrity social networking pages are often managed by a whole team of marketing minions. (When you have millions of Facebook friends or Twitter followers, keeping up with the pace of your online social interactions generally gets beyond the capacity of a single person. What this says about the legitimacy of your “friendships” is left as an exercise for the sociologists.)

In the absence of any sort of two-factor authentication, an account which can be accessed by many different users with many different passwords is at greater risk than an account used by just one person. Given lots of passwords with sufficient power to deface a page or to steal personally identifiable information (PII), a hacker has many more opportunities to beg, steal, bribe or borrow a password to the crown jewels.

In Australia, there’s already a name for this: the Vodafone Problem. By giving passwords to all its dealers, and giving them access to pretty much all of the Vodafone Australia customer management system – including PII, call records and customer security codes – the mobile phone giant pretty much guaranteed that the wheels would come off, sooner or later.

A single lost, sold or stolen password, or a single dishonest, aggrieved or even merely ill-advised dealer, was in a position to spoil things for everyone.

Perhaps this sort of “injury to one is an injury to all” effect is what went wrong in this Facebook hack? Perhaps Mark Zuckerberg was careless in choosing or looking after his own password? (Perhaps Mark might find it useful to join us online at Sophos’s Facebook page? It’s free!)

Whatever happened in this case, it raises one more tough question: do you still trust Facebook with your online persona?

Why not have your say by voting in our poll?

Update: Mark Zuckerberg fan page hacked on Facebook: What really happened?