Fifteen National Football League (NFL) teams, including this year's Super Bowl contenders the San Francisco 49ers and the Kansas City Chiefs, have had their social media accounts hacked. To add insult to injury, the NFL’s official account on Twitter was also hijacked, which isn’t the first time this has happened. A hacker collective that calls itself OurMine has claimed responsibility for the incidents.
All the account takeover attacks appear to have taken place over the span of a few hours on Monday. According to the group’s tweets, they were able to hijack the Twitter, Facebook and Instagram accounts of some of the teams. The affected accounts had their profile photos, Twitter header, name and even in some cases, their bio deleted. Many accounts contained some of these now-deleted messages, shared by NFL reporter Dov Kleiman:
Facebook and Twitter provided The Hill with statements, noting that they were investigating the incidents. Another statement by Twitter for Bloomberg elaborates that the hack originated through a third-party platform, although there are no details as to how exactly the attacks unfolded. Currently, all accounts have been restored and bear no signs of the attack.
The timing of these attacks doesn’t seem random and may be seen as a bid to boost the group’s notoriety, as the week leading up to Super Bowl Sunday is one of the most media-heavy weeks.
The collective has hit popular social media accounts before. Their long list of victims includes Spanish soccer teams Real Madrid and FC Barcelona, entertainment giants Netflix and Marvel, as well as tech titans, such as Google CEO Sundar Pichai and Twitter co-founder Jack Dorsey.
Generally speaking, account takeover attacks often leverage credential stuffing, an automated method that deploys bots for login attempts. Using stolen or spilled access credentials that belong to one account in order to break into other accounts, the bots will hammer the sites with login attempts until they hit on the right combination.
You can mitigate the chances of having your accounts hacked by using two-factor authentication (2FA) wherever the option is available. Most services offer 2FA as an extra security layer against account hijacking attacks, and Twitter, Facebook and Instagram offer several 2FA methods. It's always worth doubling down on your security and enable the option on your accounts – our recent article explains the ins and outs of 2FA in greater detail.