OAKLAND, CA – DECEMBER 02: Head coach Andy Reid of the Kansas City Chiefs looks on against the Oakland Raiders during their NFL game at Oakland-Alameda County Coliseum on December 2, 2018 in Oakland, California.
Hackers compromised Twitter accounts belonging to the National Football League and some of its most popular teams, including the Super Bowl contenders San Francisco 49ers and Kansas City Chiefs, in an apparent series of cyberattacks Monday. The hackers taunted the NFL and the teams in messages saying they were “here to show people that everything is hackable,” and promoted the hackers’ security services via email and Twitter hashtags.
Accounts for the Chicago Bears, Green Bay Packers and Cleveland Browns were also taken over, among others.
An organization known as “Our Mine,” allegedly based in Saudi Arabia, took responsibility for the attack. Our Mine has executed similar, successful attacks against well-known and celebrity social media accounts in the past, and uses the account takeovers to advertise their “services” as a security company.
However, account takeovers of this type are illegal in many jurisdictions, under laws that protect against identity theft, wire fraud or computer intrusion. Legitimate security companies do not advertise their services in this way.
The incident may raise some concerns about security practices of major sports leagues and their teams, as those participating in large event venues fall under increasing scrutiny from the Department of Homeland Security for their risk to cyberattacks. “Commercial Facilities” represent one of the 18 sectors categorized by DHS as “critical to the infrastructure of the United States,” including venues like the Hard Rock Stadium in Miami, where this year’s Super Bowl will be played.
For this reason, any successful compromise of teams playing in that event, including social media accounts managed by the teams, may draw federal scrutiny.
While it’s not immediately clear how the league and team accounts were compromised, Twitter and other social media accounts can be reinforced if you use multiple factors of authentication, rotate passwords and avoid phishing emails that may compromise the credentials of people who manage the accounts.