FC Barcelona’s Twitter account was hijacked by the Syrian Electronic Army last night, who sent messages to more than 11 million followers.
While the team won 2-0 away at Manchester City, the army took control of the team’s official account, urging the management of the team not to accept Qatari money, and later said “special hi” to rivals Real Madrid.
Barca previously refused to wear any corporate sponsorship on their kit, but signed a £123 million deal to wear Qatar Sports Investments branding for five years ahead of last season.
Security blogger Graham Cluley, said: “There seems little doubt to me that FC Barcelona could have avoided this hack if they had followed best practices – which would have included training staff to never re-use passwords and to be suspicious of unsolicited emails, checked that they were only entering their passwords on legitimate websites, and – crucially – enabled two factor authentication on their account.”
Dana Tamir, director of enterprise security at Trusteer, an IBM Company, said: “It seems that attackers and cyber criminals are increasingly targeting users’ login credentials which will provide them access to various systems. Only two weeks ago we learned that Yahoo’s email system was breached using credentials stolen from a third party.
“With login credentials to the user’s account, it is possible to access information stored within the users account. Last year, the Syrian Electronic Army took credit for hacking the Twitter account of the Associated Press (AP) and posting a fake news alert about an attack on the White House and President Obama. The news alert was quickly denied, but not before the Dow Jones stock exchange fell by one percent and $200 billion dollars was wiped off the entire market (stocks bounced back later in the day).
“An additional concern is that many users tend to re-use their passwords across multiple systems. After all, it’s hard to remember so many passwords. If users are re-using their credentials, the exposed information may also provide access to other websites and web services, including corporate systems. While access to online consumer applications and services enables fraudulent transactions, access to corporate systems can enable an enterprise breach.”