Twitter Responds to OurMine Claims after CEO Jack Dorsey got Hacked
After allegedly accessing private documents from Twitter CEO Jack Dorsey’s Dropbox account, OurMine group claimed that Vine can see users’ passwords. Vine is a video-sharing service owned by Twitter, who will suffer the onus of the claim if true. Twitter, however, was quick to publicly respond that the information is incorrect and based on fake evidence.
Twitter CEO, Jack Dorsey fell prey to OurMine group’s mischief over the weekend as the trio gained access to his Twitter and Vine accounts. As usual, the hackers tweeted through the account to flaunt their achievement. “Hacked by OurMine, we are testing your security, visit ourmine.org,” the tweet said. A similar mark was left on Mr. Dorsey’s Vine account as well. The activity was followed by a news report on OurMine’s website, where the hackers boasted about the successful infiltration. “Today, we checked Jack Dorsey Security, and we got access to his Vine & Twitter accounts, his security was really weak.”
Adding insult to injury, the hackers did not stop at that. In a follow-up news update on their website, Group OurMine announced that Vine can see passwords of all its users. They hacked Jack Dorsey’s Dropbox account, and gained access to some confidential material. The material included alleged pictures of Vine’s administration panel, where a user’s profile is open and password is visible among other information about the user. This suggests that anyone with access to Vine’s administration panel can access that information. “Passwords should be encrypted no need to show it for support team,” claim the hackers. They went on to warn users to be safe and indicated that they are “going to hack more.”
The revelation went viral and people started worrying about the security of their passwords. The statement that support personnel do not need to see users’ passwords did make some sense to users who seemed cross with both Vine and Twitter. It wasn’t long before Twitter noticed and acted on it. Twitter’s Trust & Info Security Officer, Michael Coates denied the claims by tweeting that the admin site does not passwords in any form. Furthermore, the Vine admin panel can be accessed from Twitter IP addresses only and uses the HTTPS protocol.
Re: OurMine allegations about Vine passwords: the admin site is restricted to Twitter IPs, is https, and never shows passwords in any form.
— Michael Coates ஃ (@_mwc) July 9, 2016
OurMine responded to that as well. They said that they got the picture from Mr. Dorsey’s Dropbox account and do not know whether it is real or not. They acknowledged that they did not access the panel themselves. Speculation suggests that the picture submitted by OurMine is probably fake. The fact that the page contains spelling errors points toward the same (Notice how the word “Notifications” is spelt in the left half of the photo).
The OurMine group has recently been attracting a lot of media attention as it has been quite successful in breaching social media accounts of notable celebrities. Its list of heists includes Facebook CEO, Mark Zuckerberg, whose Twitter, Instagram and Pinterest accounts were hacked last month. Twitter was last targeted in May when its cofounder, Biz Stone was victimized along with Minecraft creator Markus Persson. The most recent victim was Google CEO Sundar Pichai, whose Quora account was hacked by OurMine team roughly two weeks ago.
The OurMine group claims to use zero day exploits and advanced hacking tools to get passwords of these celebrities. While they do seem highly skilled at their job, industry experts are more tilted toward alternative theories. They say that the group never really breaches the security of the social media websites; it exploits menial factors such as password databases released by other sophisticated hackers, users’ habit of using repeated passwords across multiple websites, and users setting easily guessable passwords. As per ZDNet, Sundar Pichai’s Quora account was breached by guessing the secret question and answer. The hackers themselves claimed that they used information from the 117 Million LinkedIn passwords leaked earlier to get to Mark Zuckerberg’s Twitter and Pinterest accounts.
OurMine is reportedly a group of three individuals. While their origin is officially not disclosed, some peg it to be Saudi Arabia. Most of their hacking follows a pattern. Once they compromise an account, they post a message announcing that it has been hacked, claim that security was weak, and invite the user to get in touch via the ourmine.org website to get enhanced security. Some have dubbed the group as ethical hackers since it is fairly obvious that they could cause much more mayhem with the accesses they obtain. Instead, they merely choose to gain publicity out of it and a few customers for their security consultancy. However, when ZDNet asked, the hackers denied doing it for business or for fame. “We are just trying to let everyone know that nobody is safe!” they said.
Editing by Javeria Rahim;Graphics by Rashid Rehman