Google CEO Sundar Pichai is among the latest members of an unhappy club: public figures who have been hacked by OurMine, a group of hackers who profess to be doing the world a favor by making clear how vulnerable most of us are online.
They hack into accounts and leave public messages, as well as a suggestion to buy their own security services.
"Hey, it's OurMine, we are just testing your security, please visit OurMine to upgrade it," they tweeted from Pichai's account.
The group told Wired and TechCrunch that they're a trio (of teenagers, according to TechCrunch). They deny being based in Russia or Saudi Arabia—which is where one hacker says their IP address and Twitter handle are from. Their posts suggest English is certainly a second language. (Or, for the sake of the U.S. school system, let's hope that's the case.)
Announcing they'd hacked the Twitter accounts of Randi Zuckerberg and her brother, Mark, they wrote in the News section of their site:
"Today, we checked Randi Zuckerberg Security, and we got access to her twitter accounts, her security was really weak … her password was too easy (superstar) and her brother password (Mark Zuckerberg) is (dadada)."
The group has also hacked the accounts of actor Channing Tatum, food blogger and cookbook writer Ree Drummond, and Amazon CTO Werner Vogels.
While they offer security services (pricing starts at $99.99 for a scan of an individual's social media accounts) that in all instances they point their hacking victims to, they insist they're not blackmailers or black hats—hackers out to make a buck. Rather, they are do-gooders.
"We are not blackhat hackers, we are just a security group … we are just trying to tell people that nobody is safe," they told Wired. "We didn't do anything wrong."
Jackdaw Research Chief Analyst Jan Dawson offered that white hat hackers tend to operate with the permission of the companies or individuals they're trying to protect, which makes OurMine a bit different.
"I'm sure Twitter isn't happy with the hacking that's going on there—I've seen several high-profile individuals have their accounts penetrated by these OurMine guys, and that's not a good look for Twitter," Dawson told eWEEK.
"On the other hand," he added, "they do appear to be highlighting real security vulnerabilities in a way that doesn't seem to be doing any damage, and no doubt those hacked in this way are responding by changing (and hopefully improving) passwords, and so on."
What are some proactive best practices to take? Don't reuse passwords, set up two-factor authentication and be aware of which applications link to which accounts, since you're only as secure as your least-secure account and password.
For example, OurMine claims it hacked Pichai's Twitter through his Quora account, though Quora denies this.
"We are confident that Sundar Pichai's account was not accessed via a vulnerability in Quora's systems," it said in a statement.
It also offered: "We recommend that people use unique passwords for accounts on different services, so that a security breach on one service does not lead to attackers gaining access to accounts on other services."
If you have a security best practice to add to the list, we welcome you to leave it in the Comments section below.