Sign in / up

back to article Netflix US Twitter account hacked

Netflix's US Twitter account was briefly hijacked on Wednesday. The feed was taken over by a hacking group, OurMine, who used the hijack to promote its website and invite Netflix to get in touch. The social media team running the Netflix US Twitter account, which has 2.5 million followers, got off easily. Previous account …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. JimmyPage
    Facepalm

    "Not enabled 2FA" ???? FFS ?

    *If* 2FA was enabled, how was it defeated ?

    If not, just why ?

    0 1 Reply
    1. Orv Silver badge
      Reply Icon

      Re: "Not enabled 2FA" ???? FFS ?

      The "2FA" of most sites like Twitter is only superficial. Under the covers, clients get a single token that's effectively a single authentication factor until it expires. Since people hate logging in over and over, tokens rarely expire. Often these attacks are based on stealing the token somehow.

      0 0 Reply
      1. sequester
        Reply Icon

        Re: "Not enabled 2FA" ???? FFS ?

        Twitter's second factor is SMS. They can't send messages to my current carrier, so I had to disable it when I switched there. Twitter don't offer any kind of contact venue to notify them of those issues either, and they don't seem interested in offering anything actually working.

        0 0 Reply
        1. P. Lee
          Reply Icon

          Re: "Not enabled 2FA" ???? FFS ?

          and what happens if you have a UC system?

          You get unexpectedly single factored.

          0 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: They can't send messages to my current carrier,

          So, much like LinkedIn then ?

          They appear to struggle with (presumably) non-US MVNOs ... and have done since I logged a support call 7 months ago.

          I have since concluded that they don't give a shiny shit about user security. They are free to correct that impression but have chosen not to.

          1 0 Reply
    2. 142
      Reply Icon

      Re: "Not enabled 2FA" ???? FFS ?

      SMS-based 2FA relies on the user's messages being secure. This isn't always the case. Some phone networks allow you to send and receive SMSs through their website, for example. So if the hackers get on there first, 2FA no longer matters.

      0 0 Reply
  2. Florida1920
    Happy

    Traditional media is good

    (Such as El Reg.) Otherwise I'd never know what was happening on "social" media.

    10 0 Reply
    1. Version 1.0 Silver badge
      Reply Icon

      Re: Traditional media is good

      Twitter? I've heard of him I think, didn't he appear in an old Monty Python sketch? Or maybe it was The Navy Lark?

      3 0 Reply
      1. Captain DaFt
        Reply Icon

        Re: Traditional media is good

        Perhaps you are thinking of country singer Conway Twitter?

        Best known for his song "Your Cheating Lark"?

        2 0 Reply
  3. NoneSuch Silver badge
    Coat

    Everythings Fine

    They just added "123" to the end of "password" so all is good now.

    3 0 Reply
  4. benderama

    How does breaking someone's account on a different service count as "testing your security"? This was done for the bragging rights. If the kid wants to impress us, break into Netflix proper and enable all content for all regions.

    0 0 Reply
  5. Barbarian At the Gates

    SMS isn't really "secure" for 2FA

    Here's something to think about if you use your cell phone number as a form of 2FA. In some scenarios using SMS for 2FA actually helps make your account easier to hijack. It depends on how password reset is implemented by a particular account provider. If they set it up such that if you forget your password, you can get a code sent via SMS to use to reset your password...well...

    If someone can find out a cell number is attached to a particular account, some trivial social engineering can get that cell phone number ported to a different service/burner cell phone. Issue password reset requests to account(s), get reset code SMSes on burner phone, take over account.

    1 0 Reply
    1. lglethal Silver badge
      Reply Icon
      Go

      Re: SMS isn't really "secure" for 2FA

      Yes it can be done. And your right relatively trivially. But it does takes effort from the attacker. And lets face it, most script kiddies are unwilling to take that effort or accept the risk associated with doing something which ups your crime from simply "unathourised access of an electrical device" to "fraud" (completely with a long stay in the chokey if your caught).

      Whilst SMS based 2FA is not going to stop a Nation state or a dedicated hacker, those parties are unlikely to be interested in taking over your twitter account. So SMS 2FA is good enough for some Tasks...

      0 0 Reply
    2. JimmyPage
      Reply Icon
      Thumb Up

      Re: SMS isn't really "secure" for 2FA

      They could.

      And for a high-value account it would be worth the effort.

      I think the average Joe is safe though.

      0 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like