Shuhei Yoshida, the popular president of Sony Computer Entertainment’s worldwide studios, appears to be the latest victim of the OurMine hacking gang, after his Twitter account was hijacked yesterday.
Yoshida is one of Sony’s best known faces, frequently appearing at Playstation press conferences or tweeting about his love for PS4 games.
OurMine, which has previously broken into social media accounts belonging to Mark Zuckerberg, Google CEO Sundai Pinchai, and has recently been linked to DDoS attacks against WikiLeaks and Pokémon Go, says that it was testing Yoshida’s security.
As is their normal modus operandi, however, OurMine didn’t miss an opportunity to cause some mischief – tweeting a message which appeared to be in support of the Xbox, Sony Playstation’s arch-rival.
Fortunately OurMine appears to be more motivated by mischief-making and promoting its services rather than using hacked social media profiles to phish or infect others.
“Hey, its OurMine, we are testing your security”
“You have been hacked by OurMine Team Visit our website to secure yourself.”
In some ways you could argue that it’s a good thing that it’s OurMine hacking accounts rather than someone else. But what would be best of all is if high profile accounts were properly protected in the first place.
Yoshida himself doesn’t appear to be that flustered by the experience. He has regained control of his account, and tweeted an apology to his followers.
— Shuhei Yoshida (@yosp) July 20, 2016
Following the devastating hack which struck at parts of the Sony empire in late 2014, it would be nice to think that the company had to got to grips with security, and educated its senior staff about how to protect themselves online.
But clearly Yoshida, at the very least, didn’t have the right protection in place. Either he was careless with his password and fell foul of a phishing attack, or he made the mistake of reusing the same password for his Twitter account (where he has impressively accumulated almost 250,000 followers).
Whatever the precise nature of how the hackers managed to get their hands on Yoshida’s password – it seems unlikely that he had enabled Twitter’s two-factor authentication facility.
Twitter calls its 2FA system “Login verifications”, and I strongly recommend that all users of the site enable the feature as it means that even if your password is compromised, that won’t be enough to allow hackers to hijack your account.
Bitdefender’s Alexandra Gheorghe has written a great guide on how to enabling two-factor authentication and two-step verification on a number of popular sites, including Twitter.
Frankly, if a site is offering you two-factor authentication to protect your account, and you don’t enable it… you’re asking for trouble.