In early July, the British army confirmed that two of its social media accounts had been breached; their Twitter, and YouTube accounts. We’ve taken a look at the hack and what it can teach us about security.
What happened to the British army socials?
The first weekend of July, the British army’s Twitter and YouTube were hacked. Their Twitter account name was changed to ‘psssd’ with its profile picture and banner were changed to images of NFT’s (non-fungible token). Their YouTube had been changed to ‘Ark Invest’, an investment business from Florida. By Sunday, control of these accounts had returned to the British army.
The commonality between both of these account changes appeared to be that they were endorsing cryptocurrency scams; encouraging followers to invest in fake online currencies. The cryptocurrency market crashed significantly in May 2021, with the value of NFT’s reaching a 12-month low in June.
A calculated attack, or a harmless hack?
In 2013, the British armed forces were told that they could be ‘fatally compromised’ by a concentrated cyber attack, and that the security of their computer systems needed to be improved by the government.
In January of this year, a cyber-attack was carried out against the UK’s Defence Academy, resulting in ‘significant’ damage. As such, the British army socials hack at the beginning of July is second cyber attack on the UK armed forces in six months.
Although the January cyber attack and the July cyber attack were very different, both in terms of intention and damage caused, it does indicate that cybersecurity cannot be overlooked. Although the British army socials hack didn’t appear to be the work of terrorist organisations, it clearly could have caused extensive damage had the hackers’ intentions been different.
How did the British army socials hack happen?
We aren’t sure how these hacks occurred, as very little information has been provided by the British army. However, the cyber attack does raise a number of questions around the kind of security used for these social media accounts. Were the passwords for these accounts guessed or discovered? Were these accounts protected by two factor authentication? And how were both hacked in unison?
We are unlikely to get the answers to these questions, and of course, this cyber attack may be far more elaborate than we are aware of. However, this hack does serve to remind us about the importance of cyber-security, secure passwords, and the importance of multi-factor authentication.
Cybersecurity, and two factor authentication
At minimum, Twitter and YouTube require an email address and a password to sign in. Additionally, both applications offer two factor authentication, whereby a person signing into their account has to provide an additional piece of information, such as a biometric like TouchID or FaceID, or a security key sent to a smartphone.
When two-factor authentication is turned off, accounts which use a password and an email account to log in are vulnerable to a number of cyber attacks. These include credential stuffing, where a hacker finds account details from a poorly protected website the victim has signed up to, and tries the same details in other websites. Accounts can also be vulnerable to password spraying, where the most popular passwords are tried against a victim’s email address to see if one of them works.
By turning on two factor authentication, users can completely eliminate the potential for these cyber attacks. Although this won’t protect your accounts entirely, it will make it much more difficult for a hacker to access your account.
Turn on two factor authentication
It isn’t possible to be unhackable, but we can make use of all of the security features made available to us by turning on two factor authentication wherever possible. Take the extra time to protect your account details, and you’ll save time recovering from a hack in the future.
Keep your staff safe with U-Secure
If you’re running a business and you’re worried about cyber security, it’s worth considering U-Secure. U-Secure provides cyber security training to your employees, consisting of short training courses and quizzes to educate them about common security scams, to test their understanding.
Courses are ten minutes long, and are emailed to employees automatically. The results are recorded for your organisation, so that businesses can see how educated they are, and which employees need help or further training in order to protect themselves and your organisation.
As a U-secure partner Transcendit offers a 30-minute demo of the software, so we can talk you through how it works and get it set up for your business.
Prioritise cyber security, and give us call us on 0191 482 0444 to try out U-Secure