Mark Zuckerberg was hacked. How can any of us stay safe?
Tech billionaires: they forget their passwords, just like us.
A group of hackers broke into Mark Zuckerberg's Twitter and Pinterest accounts over the weekend, revealing the Facebook CEO had reused the same password across several sites.
The hacking group that claimed responsibility, known as OurMine Team, said it obtained Mr. Zuckerberg's password, identified as "dadada," through a large-scale hack of passwords from LinkedIn that originally occurred in 2012.
Zuckerberg had last used his account on social media rival Twitter in 2012, but the hackers also claimed to have broken into his account on Instagram, which is owned by Facebook, a charge the company denied.
While the hack wasn't seriously damaging, it does illustrate a number of problems with passwords made up of letters and numbers.
People often reuse passwords or continue to use "123456" or a variety of passwords that reference "Star Wars," according to one annual "worst passwords" list. But there's also the issue that even passwords that are technically strong are easy for computers to guess.
That's because of increasingly sophisticated software that can use "brute force" – many attempts over and over again – to crack a password. Typically, experts advise using passwords that are 12 characters or longer. Variations in spelling, capitalization, numbers and punctuation also make passwords stronger.
To combat password-cracking software, security expert and cryptographer Bruce Schneier recommends taking a sentence that's personally memorable and turning it into a password.
Examples from the site LifeHacker include:
WOO!TPwontSB = Woohoo! The Packers won the Super Bowl!
PPupmoarT@O@tgs = Please pick up more Toasty O's at the grocery store.
Security experts say using a password manager to keep track of different passwords for a range of sites is also important. They advise enrolling in so-called two-step verification, offered by services such as Gmail and LinkedIn, which sends users a code on their phone each time they want to open their account.
Another important tip is to avoid disclosing personal information online to sources you can't verify, such as the email saying you need to change your Twitter password that appears to come from a strange domain.
It's not clear why OurMine Team decided to hack Zuckerberg's accounts, though the hackers have been involved in other seemingly random or malicious attacks, such as on educational game Minecraft and the website WikiLeaks.
Zuckerberg's position at Facebook — one of the world's largest holders of online data — coupled with comments he once made calling the site's users "dumb" for sharing so much information, may have made him an attractive target.
But more troubling, some consumer advocates say, are the lesser-known data brokers that can offer up millions of users' information for a price.
"It's great that some companies, like Google and Facebook, have very public privacy information, but there are layers and layers of companies who are buying and selling this information whose names you've never heard of using algorithms in ways you could never even imagine," Persis Yu, an attorney at the National Consumer Law Center, said during a panel discussion at the Massachusetts Institute of Technology in March.
Those concerns have fueled the use of alternatives to traditional passwords, such as fingerprints to verify a customer's identity. Google and Amazon have also been testing technology that lets people verify a payment by taking a selfie.
But until better technology becomes commonplace, taking security precautions is still important, many say.
"In possibly just a few years, passwords will be just one part of a larger continuum of security measures that include chip-and-PIN tools on your credit card, iris scans, facial recognition, and much more," notes Uproxx's Dan Seitz. "Until then, the responsibility of protecting our data falls to us."
