Science·Q&A

Mark Zuckerberg hack a cautionary tale about password security

Even tech billionaires get hacked sometimes. Case in point — Facebook founder Mark Zuckerberg's Twitter and Pinterest accounts were recently compromised. And according to CBC Radio technology columnist Dan Misener, it's a cautionary tale for all of us.

Facebook founder's privacy breach demonstrates how bad many of us are at keeping data protected

Facebook founder Mark Zuckerberg recently had his Twitter and Pinterest accounts hacked. The incident highlights the need for secure passwords, says CBC technology columnist Dan Misener. (Eric Risberg/Associated Press)

Even tech billionaires get hacked sometimes.

Case in point — Facebook founder Mark Zuckerberg's Twitter and Pinterest accounts were recently compromised.

And according to CBC Radio technology columnist Dan Misener, it's a cautionary tale for all of us.

How did Mark Zuckerberg get hacked?

You might remember that back in May, LinkedIn confirmed that more than 100 million passwords had been leaked.

If you have an account on LinkedIn, you might have received an email about this. And it seems Mark Zuckerberg's LinkedIn password was part of the breach.

According to the group claiming responsibility for the hack, his password was pretty weak — "dadada." It was known that he'd recently become a father, so that's not a hard password to guess.

So it seems hackers were able to gain control of his Twitter and Pinterest accounts, by using that same password. 

The implication is that Mark Zuckerberg, like many of us, used the same password for a number of different sites and services.

Are there other password leaks we should be worried about?

During the same weekend news broke about the Zuckerberg hack, news emerged that the social network VK was also hacked, and 100 million passwords were leaked. VK isn't big in here in Canada, but it is the largest social network in Europe, and it's especially popular in Russia. 

These VK passwords were reportedly stored in plain text, with no encryption. And that leak gives us some interesting insight into the kinds of passwords people choose.

Spoiler alert: most people's passwords are not very strong.

The most popular leaked password was "123456." The second most popular password was "123456789." And in the third spot: "qwerty."

A few of the most commonly used leaked passwords for MySpace accounts, according to LeakedSource. (LeakedSource.com)
Another major breach came to light in May, when the website LeakedSource — which maintains a searchable database of leaked records — said more than 360 million MySpace accounts were being shopped around on dark web marketplaces.

Once again, the Myspace breach gives us a peek into our collective bad password hygiene. Among the most popular passwords were "password1," "abc123," and the ubiquitous "123456."

I'm not Mark Zuckerberg and I don't use LinkedIn. Do I need to worry about these breaches?

Yes. Even if you're not a high-profile target like Mark Zuckerberg, and even if your own personal password never gets leaked, these types of data breaches affect us all.

When millions of passwords get leaked — as we've seen with LinkedIn and MySpace and VK — that information helps hackers get better at their jobs, according to Carleton University computer science professor Anil Somayaji.

Carleton University's Anil Somayaji says data breaches affect us all, since they help hackers get better at cracking passwords. (YouTube/Carleton University)
"In order to crack passwords, they have to guess passwords," he said.

"What's the best way of guessing a password, other than having examples of passwords? It's no question that these big data dumps teach the password crackers what kind of passwords people pick."

So even if your personal details aren't leaked, these massive data breaches have negative security consequences for everyone, because it's one more tool in the hackers' toolkit.

How do I know if my password has been part of a leak?

There are tools out there that can help with this. My favourite is a site called HaveIBeenPwned.com

It's a searchable database of accounts that have been compromised in data breaches. You go to the website, enter your email address or username, and it searches through almost a billion records of accounts that have been leaked.

The website Have I Been Pwned? provides a searchable database of accounts compromised in data breaches. (HaveIBeenPwned.com)
What I like most about the site is that it has an option to notify you about future breaches. So if, for instance, next month there's a major data breach of a social network, and your account is part of it, they'll email to let you know. And that, of course, is a good indication you should change your password immediately.

What can I do to keep my accounts safe?

It seems that Mark Zuckerberg's Pinterest and Twitter accounts got hacked because he used the same weak password across more than one site. So rule number one: don't re-use passwords. You want a unique password for every site and service you use.

Second, Anil Somayaji suggests that you turn on two-factor authentication for your most important accounts.

That may involve, for example, entering a code that's sent to you by text message along with your usual username and password combination.

"Do it for the ones that you really care about — your email accounts, which are generally the foundation of your online identity, and your financial institutions," he recommends.

Finally, you want a good strong password. That means easy for you to remember, difficult for someone else to guess.

And obviously, something better than "dadada."

ABOUT THE AUTHOR

Dan Misener

CBC Radio technology columnist

Dan Misener is a technology journalist for CBC radio and CBCNews.ca. Find him on Twitter @misener.