Mining Social Data Led to Johansson and Aguilera Hacks

News that the FBI has arrested the Florida man they suspect of criminally hacking into devices belonging to celebrities such as Scarlett Johansson and Christina Aguilera is welcome, definitely a win for law enforcement and society at large. But the good news comes with a warning. The technique used by the alleged perpetrator was to dig through social media for information that could be used to predict the celebrities' passwords, and many times he appears to have succeeded.

Don't use pet names for passwords

The reason for his "success" is not rocket science. In an effort to remember their passwords, many people use strings of characters that have special meaning to them, like the name of their first dog or the place where they were born. Many of us still tend to think of such information as "personal" in the sense that not many people know it. But it is getting much easier for strangers to find out such information as we share more and more about ourselves online (that which was personal has become knowable to millions of people around the world, even for those of us who are not famous).

So, if you are using this kind of personal information to create your passwords, now would be a good time to stop. Just 10 days ago, San Franciso Chronicle staff writer Benny Evangelista wrote the following about the world's largest social media network: "In the coming weeks Facebook will roll out a major makeover that, depending on your point of view, is being called wonderful or creepy, brilliant or a "stalker's paradise." 

The makeover is aimed at generating more data sharing, not less. That could mean even more personal data to mine for password clues. As I noted earlier on this blog, the centerpiece of the Facebook changes is something called the Timeline which the company characterizes as a more engaging, constantly updating, eye-catching "digital scrapbook." As Evangelista pointed out, Timeline is part of a broader Facebook plan: "Combined with an expanded platform of applications that encourages members to share what they're doing without even thinking about it, the Palo Alto firm hopes to strengthen its role as a centerpiece of online activity, culture and commerce."

Unfortunately, some people are prepared to make Facebook the centerpiece of malicious online activity, where people's personal information is used against them. That could have a chilling effect on the urge to share. Clearly, as today's arrest shows, law enforcement is working to bring criminal invaders of privacy to justice, but the challenge is daunting. Even as news of this arrest was breaking, some people were launching digital scams to exploit it, starting with SEO poisoning.

If you feel the urge to look for pictures of Ms. Johansson or Ms. Aguilera, or any of the other people referenced in the indictment, bear in mind that the image results that the search engines present may well be configured to send you to the kinds of websites you normally try to avoid, for example, sites that push pills or malicious code. We have written about the abuse of Search Engine Optimization techniques before and we will probably be doing so again before long.

Author Stephen Cobb, ESET

  • lyecdevf

    Another reason why not to use failbook.  For instace this profile that I have created and I use to suft the net has no personal information attached to it or is fake. ;)

  • row

    its not too bad yet. when people start putting malicious code in pictures they upload, then it gets messed up.

    fb ToS:
    4.1 You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.  :)

  • lyecdevf

    I meant the persona that is lyecdevf aka Sebastian Degeneres.  I was not talking about failbook because I do not have an account there (as if all social life on the net revolves around it…shes) but I was talking about other various forums, IRC networks, e-mails,… that I am registered and I always use this made up name with fake personal information.

  • social graph mining

    We have a lot of social media right now, like tweeter and facebook. If you have these just keep it privately if you dont want to hacks your account. :)

Follow us

Copyright © 2017 ESET, All Rights Reserved.