Ringo Starr’s Twitter account hacked (peace and love)

Ringo Starr is the latest celebrity to have his Twitter account hacked.

The account, @ringostarrmusic, famously eschews correct punctuation and other grammatical niceties, goes large on the emojis, and includes the words peace and love in almost every tweet:

Occasionally, an entire tweet may be emojis, but two of them will stand in for the text love and peace:

The hack was rather obvious, as the tweets reverted to a much plainer form (and were much less interesting, if the truth be told):

Order, or perhaps ordered disorder, has now been restored, and the interloper’s tweets have gone.

We can smile at this hack now, but not all of us could roll with a hacker’s punches quite as effortlessly as Ringo, and not all hackers would be quite so obvious once they’d achieved their goal.

LESSONS TO LEARN

There are some important lessons to be learned here.

Apparently, a marketing person at Ringo’s music company had his email account compromised, meaning that the hacker could read incoming emails to that account.

The owner of the email account had access to Ringo’s Twitter, so the crook was able to perform a password reset on the Twitter account, intercept the email containing the link to approve the reset, and jump right in.

Having reset the password on the Twitter account, the intruder was able to set his own password, and go into @ringostarrmusic’s profile and change the email address…

…thus preventing the victim from getting back in and regaining control of the account.

What this means, of course, is that the security of your email account is paramount.

Generally speaking, once a crook controls your email account, he controls many, if not all, of your other important accounts.

In other words, losing control of your email account doesn’t just put you at risk of the crooks learning all about you, and perhaps contacting your customers to organise payment scams. (That’s where a crook sends messages from your email address to tell a debtor to start using a different bank account for payments.)

It often give the crooks control over resetting the password on all your other accounts.

In the @ringostarrmusic case, the hacker claims to have got past two security questions required to reset the victim’s email password.

Security questions are those secondary passwords that you don’t need often, and so aren’t supposed to be easy for a crook to shoulder-surf, or key-log, or acquire in some other way.

Here, however, the hacker says that all he needed was the marketing person’s birthday and his nephew’s name, both of which could be found on Facebook.

WHAT TO DO?

• Pick a proper password. Don’t let the crooks bypass the reset process altogether by simply guessing your password.
• Pick proper security questions. Don’t go for “What is my birthday?” or “What is my dog’s name?” Don’t choose questions that you’ve used anywere else.
• Pick proper security answers. Some sites force you to choose reckless pseudo-security questions, like “What was your first car?” Give a unique and unexpected answer, such as a random password from your password manager that you keep for this question only.
• Use two-factor authentication (2FA). If your email account supports 2FA, for example by SMSing you a code every time you login, consider turning it on. This makes it harder for a crook to guess or to reset your password, because the needed code changes every time.
• Bookmark each account’s “Help, I’ve been hacked” support pages. If you think one or more of your accounts have been hacked, you’ll want to report the problem as soon as possible, so knowing where to start can save you valuable time.