At approximately 21:20 GMT a hacker took control of the Twitter account of online payment broker PayPal UK. This is the latest in a string of attacks over the past few weeks, the most recent of which targeted Fox News.
Similar to the attack against Fox News, it appears the PayPal UK team was unaware of the problem. For almost two hours the attackers had control of the profile and have even taken to changing the avatar photo. As of 23:15 GMT the profile had been taken offline.
It appears whoever has hacked the account is having some kind of a dispute with PayPal over a frozen account. One of the tweets that was posted states, “PAYPAL FROZE ALL MY MONEY FOR NO REASON, F*** YOU!”
How does such a high profile brand, especially one associated with your banking information, get hacked like this? Usually it occurs one of three ways:
- Large organizations often have many people responsible for updating their social networking accounts. Most social networks were designed for use by individuals and don’t offer enterprise-grade security options with granular permission controls. If the password is shared with enough people, someone will misplace it or use something “everyone can remember.”
- The password is either ez2guess or is something used frequently for many different accounts. With the large numbers of usernames and passwords that have been recently disclosed, many people are looking for well-known organizations that may reuse passwords on multiple sites.
- Recalling the incidents last month on the Lulz high seas, we saw many people’s email accounts hacked, again through password reuse. Once you have a key email account, you can send password resets from Twitter, Facebook or just about any other online service.
Update: A PayPal spokesperson has contacted Naked Security with a statement regarding this attack.
“PayPal UK’s Twitter feed was targeted by hackers tonight. PayPal would like to reassure all customers that PayPal’s UK customer systems and data have not been breached or hacked in any way. There is no link between customer systems and our Twitter account.”