Let’s recount: a celebrity, a hip-hop artist, a media magnate, a tech CEO, an activist, the NFL, Kylie Jenner—all these people (and sports leagues) have had their Twitter accounts hacked in recent days.
The takeovers are moderately entertaining, at times. Like when Katy Perry—or rather, the person momentarily administering the songstress’ avatar—extends a digital olive branch to friend-turned-foe Taylor Swift. Or when Mark Zuckerberg—that is, the puppeteer controlling his account (otherwise silent since 2012)—boasts openly about having an abysmal password. These jolts to the system are, occasionally, welcome reprieves from the regular social media malaise. I’ll admit.
The hacks are also more than a little disconcerting. Without fail, they give rise to short-lived rants chock full of hate speech, curse words, and gibberish. Equally distressing is the realization that people everywhere continue to leave their online selves vulnerable to attack. Reusing the same appalling password across any number of websites may as well be an invitation—calling all malefactors!—to take the stage at the world’s next Open Mic Night. The venue: your mouth.
The state of online security is generally terrible, I know. I empathize. Until that’s fixed, one has to be proactive. You already know what I’m going to say, yes. Password hygiene, password managers, password complexity, length, special characters—yada yada, dadada.
You’ve heard the spiel before. But really, I implore you. Please. Do us this one solid. Do the world this one solid. Go and download that password manager. It won’t bite, really. Download that app and reset your passwords to the most uncrackable, indecipherable, alphanumeric gobbledygook the world has ever seen—a distinct one per account. Here are some password manager options even: Dashlane, KeePass, LastPass, Keeper. Really, go ahead. Go!
Done? I hope so. Now for extra credit. To steel yourself against the most determined hackers, take this bonus step: activate two-factor authentication on your accounts. This highly advisable security feature sends a passcode to a device of your choosing that you’ll have to enter upon login. Most savvy websites offer this as a layer of defense. And yes, it’s worth the minor inconvenience to set up. (Overachievers, call your mobile carrier and lock your accounts with a PIN as well.)
If you’re not going to take this measure for you, at least do it, I propose, selfishly, on behalf of cybersecurity reporters. For they can only write so many “guess who’s been hacked today??” stories before losing their sanity. Have mercy.
Thank you for understanding, dear reader. Enjoy the weekend. I’ll be at a cabin in the Catskills. More news below.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Twitter on lockdown. Thirty-two million login credentials for users of the social media site recently leaked. Twitter maintains that it wasn't breached; one theory holds that they were compiled from separate breaches at other sites, where people reused passwords. As a precaution, however, the company is requiring "a number" of people to reset their passwords. Facebook and Netflix have similarly required login resets. (Fortune, Fortune, Fortune)
Mark Zuckerberg hacked. A hacker group called OurMine Team hijacked Facebook CEO Mark Zuckerberg's Twitter, LinkedIn, and Pinterest accounts. His password? Apparently, "dadada." The account takeover follows a number of breaches at social media sites that have recently come to light. (Fortune, Fortune)
Hillary Clinton emailed about drones strikes. As Secretary of State, Democratic presidential hopeful Hillary Clinton apparently corresponded through her personal email server with diplomats in Pakistan about the State Department's role in coordinating drone strikes with the Central Intelligence Agency. A Clinton spokesperson brushed off the claim, saying that "If these officials’ descriptions are true, these emails were originated by career diplomats, and the sending of these types of emails was widespread within the government." (Fortune)
Apple and Google frustrate Manhattan DA. Cyrus Vance, a New York District Attorney, complained that smartphone encryption has halted more than a thousand criminal investigations across the country. He noted that: "In my office alone, we now have 270 lawfully-seized iPhones running iOS 8 or 9 that are completely inaccessible." Earlier this year Apple stood its ground against the FBI, which demanded access to the data stored on a handset used by a terrorist. (Fortune)
Germany fines businesses for data transfers. Some companies are still relying on the no longer valid Safe Harbor agreement to shuttle people's data across the Atlantic. German regulators slapped a fine on Adobe, PepsiCo subsidiary Punica, and Unilever for a total of $32,000 for continuing to rely on the legal authority, overturned in the wake of revelations of U.S. mass surveillance. (Fortune)
Wikipedia cofounder says France backs censorship. Jimmy Wales, cofounder of Wikipedia, blasted French regulators for requiring Google to remove certain search results as part of a "right to be forgotten." The free speech advocate took issue, in particular, with the country's ruling that the search giant should "hide things globally, not just within the borders of France." (Fortune)
By the way, I like to believe that Elon Musk really did speak with the Pentagon about a real-life Iron Man suit.
Share today's Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
Fortune's Robert Hackett (hey, that's me) explains how the U.S. may be conducting cyberwar on ISIS through a kind of terrorist cat-fishing project.
Picture this: A supporter of the Islamic State gets a chat message. It’s from a top commander, and it instructs the man and his fervent cohort to meet outside the city of Tel Osqof, 20 miles north of Mosul, at 7 a.m. “May God be with you, my brothers,” the leader signs off.
But when the recipient gets to the rendezvous, he’s greeted by an ambush. Air strikes. Gunfire. Chaos. Collapse.
Here’s what happened: That message from a trusted conspirator? It turns out an adversary fabricated it. Foreign agents hacked the commander’s accounts, hijacked his persona, and mimicked his mannerisms to sell a rebel battalion on a phony order. When the supporter showed up at the meeting spot, military forces were already there.
This imagined scenario gives you a sense of the kind of digital deception the U.S. may be using to take down terrorist groups like ISIS (also known as ISIL). But until this spring it was hard to confirm that those tactics existed at all. Read the rest on Fortune.com.
Hackers Exploit Loophole to Disable Alarm on Mitsubishi Outlander by Kirsten Korosec
Libyan Prime Minister Predicts 'Total Victory' Over ISIS Stronghold by Michal Addady
Scalper Bots are Hijacking Canada’s Hottest Concert by David Z. Morris
NFL Twitter Account Hacked and False Tweet Posted on Goodell's Death by Aaron Pressman
Invasive App Tenant Assured Wants to Sell Your Private Data to Landlords by Robert Hackett
U.S. Still Has Thousands of Insecure Security Cameras, Report Shows by Jeff John Roberts
The Latest Security Threat Could Be Hiding in Your Car by David Barzilai
ONE MORE THING
Meet the hacker selling your passwords. A hacker by the name of "Peace_of_mind" or "Peace" has been selling a horde of hacked passwords and login credentials for social media sites in recent weeks. The hacker told Wired that a team of Russians initially harvested them, mostly for spamming purposes. Why talk to a reporter? "I’d rather give them [MySpace, Tumblr, LinkedIn, law enforcement] a bone to chew on, so to speak, make them feel like they can catch me or others," the hacker said. (Wired)