@PayPalUK, the Twitter account for PayPal in the UK was hacked tonight and content including changes to their logo was posted. The attackers also posted tweets linking to PayPalSucks.com, an anti-PayPal site and then devoted the next hour to retweeting every complaint they could find about PayPal on Twitter.
It’s worth noting that Twitter is an inherently insecure site with a simple user name/password combination to log in. Whilst it’s deeply embarrassing for PayPal to have their account compromised they aren’t the first and almost certainly won’t be the last high profile account to be hacked. As an aside obviously the PayPal Twitter account is totally unconnected to the main PayPal site and PayPal and their customers accounts are safe.
PayPal have apologised on Twitter saying “We apologise for the bad language and childish nature of tweets that came from this account at the time”. They also said of their Twitter account “This account was hacked earlier. We have it in our control now. Your personal data is still 100% safe, hack occurred on Twitter not PayPal”.
Of course every cloud has a silver lining – it looks like PayPal have gained in excess of 1000 new Twitter followers during the course of this evenings hack. Having regained control of the account the increase in Twitter followers has to be a nice bonus for what must have been a very fraught evening for those that run the PayPal Twitter account.
4 Responses
When that shopping website was hacked into earlier in the year (I can’t remember their name now), they offered Paypal as the sole payment gateway.
On my website I offer more than one payment gateway, so hopefully this will only effect eBay.
I think the important thing here is that this is a Twitter hack, not a Paypal hack. In fact, it’s one of a long list of Twitter account take-overs (think Fox News last week) which have been going on, and is media-interest, but of little operational consequence for anyone doing business and using Paypal.
I don’t know how the attack was made, but as Chris observes it’s just a simple password that is required so a dictionary attack, a phish or a social attack might do it, with no need for anything more sophisticated.
Twitter could improve its security and at least have some form of account recovery in place for take-overs (particularly of verified accounts with large numbers of followers) — much as eBay has its Live Help for account take-overs: one of the most accessible and fastest acting parts of the customer service team.
It is possible for users to make attacks harder by having complex non-dictionary passwords which are embedded in client software rather than known to users, but the blame for this overall vulnerability lies at Twitter’s door.
Got hacked again yesterday.