Hackers Break Into Ringo Starr's Twitter Account With Simple Password Reset

blottsie writes: Ringo Starr's account was compromised by a hacker operating under the username "af," who spoke to the Daily Dot about the breach. The hacker says he gained access to an email account associated with Doug Brasch, senior director of digital marketing at Universal Music Group, who managed Starr's Twitter account. He simply used an email password reset to gain access.

Email got hacked

[Anonymous Coward]

so the real hack was the email account not twitter?

Re:Email got hacked

[LinuxIsGarbage]

so the real hack was the email account not twitter?

Exactly. If it was a "simple Password reset" it would have been:
Security question: What's your favorite band?
Answer: The Beatles.

Re:

[invictusvoyd]

Record your answer somewhere safe.

Like a piece of paper stuck beneath the keyboard.

Re:

[arth1]

I hate websites forcing Security Questions down my throat for this reason.

Worst are those who require you to answer their questions, and not your own.

What was your mother's maiden name?
I never knew who my mother were, you insensitive clod! And if I did know, I bet that a quick search of any genealogy site would tell an intruder too.

What city were you born in?
I wasn't born in a city, you insensitive clod! And isn't town of birth public data?

What was the name of your 6th grade teacher?
People seriously remember this into their 70s?

I wonder how many of the secret answers are "FUCK

Re:

[arobatino]

Use a strong random string as the answer, regardless of what the question is, and store it in a password manager (next to the question). Then the question doesn't matter, it's only used for lookup.

What is your mother's maiden name? JbdsxnzvB31M4uW0AxVsh2gIcFHhgN
What is your favorite color? ESWKiF0J8IyZj7aZQzCjsAhGcyn4QC

Re:

[brantondaveperson]

But the whole point of the 'security questions', is that you've lost your password. If you're using a password manager to store your passwords already, then there's no point using it to store your answers, because then you'd have your actual password, and wouldn't need the 'security questions'.

You might as well type in random text, and not even bother to remember it, if you're going to use a password manager to store it. I hate the things too.

Re:

[arobatino]

You might as well type in random text, and not even bother to remember it, if you're going to use a password manager to store it.

You have to store the answers to the "security questions", because sometimes websites will require you to know them, even if you have your password. It's happened to me more than once.

Of course, they shouldn't actually be called "security questions" (since the purpose is not to enhance security, but to actually weaken it so customer service doesn't have to deal with people who forgot their password) but obviously they can't admit to that. And since they need to pretend it's about security, they also need to

Re:

[brantondaveperson]

You have to store the answers to the "security questions", because sometimes websites will require you to know them, even if you have your password. It's happened to me more than once.

Well. That's pretty stupid. In that case I guess you're stuck, and your random answers are a pretty good idea. I don't know that most password managers actually support 'security questions' without creating a whole new entry for each one - the one I use (keepass) certainly doesn't. It's time that we used a hardware security dongle - you know, like we do with doors - to allow people into their accounts.

Re:

[arobatino]

Some password managers allow you to store description (arbitrary text) alongside the passwords.

That's what I do. MyPasswordSafe allows storing comment text with each entry, so I put the "security question"/answer pairs in there.

Re:

[sudon't]

But the whole point of the 'security questions', is that you've lost your password. If you're using a password manager to store your passwords already, then there's no point using it to store your answers, because then you'd have your actual password, and wouldn't need the 'security questions'.

Right. All this extra "security" bullshit we have to put up with is because of the idiots who don't use password managers, (and password generators). It's the dumbing-down of security. I don't see how these people will ever learn if they're always having their hands held. Let them lose control of a few accounts. Then, maybe, they'll get with the program.

Re:

[GateGuy]

I had a credit card hacked once. The person used it to pay for a lot of crap on iTunes. When I called Apple support, the said that the credit card was attached to a different account. So when the support person wanted to validate who I was, she asked me for the answers to my secret questions. I had scrambled answers like you describe. I also always use the maximum number of characters that the field (or rule) will allow. About 50 characters into it, she said she knew it was me.

Re:

[MoarSauce123]

The problem are these prefab password reset questions and the logical answers people give. When asked for birth date put something in that is clearly NOT your birthday. Asked for favorite band enter your least favorite food. Although I bet there is a band called "capers".

Re:

[omnichad]

It was an iCloud email address, but in this case, Apple's security questions were such that the answers could be found via Facebook.

31337

[Jesse Enjaian]

When did the word "hacker" become synonymous with "being a douchebag with computers?" I missed this cultural shift somewhere.

Re:31337

[malditaenvidia]

Around the late 90's, if I recall correctly.

Re:

[Jesse Enjaian]

Around the late 90's, if I recall correctly.

you mean IIRC

Re:

[JustOK]

Exactly. We should write out Lucifer Our Lord instead of lol. Oh, crap. I used an acronym.

Re:

[DerekLyons]

Long before that, try early/mid 80's.

Re:

[Anonymous Coward]

As far as I'm aware it's always meant that.

It's just that until the 90's the only people with anything important accessible by computer were big businesses and the government so the douchebags could pretend to be Robin Hood class d-bags instead of The Joker class d-bags.

I thought a "hacker" built stuff and a "cracker" broke stuff. "Breaking into an account" would then fall under "cracking," not hacking. AFAIK, "hacking" is when you use some paperclips, a few resistors, and a perl script to turn your motherboard into a radio. THAT is hacking.

Did you circumvent encryption? Crack.
Did you come up with a no-cd game patch? Crack.

Did you figure out how to send digital files UUencode-style via SMS using a rooted iPhone? Hack.
Did you make your line printer play Christmas songs? Hac

Hackers and crackers

[XXongo]

I thought a "hacker" built stuff and a "cracker" broke stuff.

There has been an attempt to get that usage adopted, but it's failed.

Basically, the definition of "cracker" as "A poor and usually bigotted white person living in the south" is so well accepted in America that it hasn't been possible to graft a new definition on.

see: ubran dictionary [urbandictionary.com] or NPR [npr.org]

Re:

[BoberFett]

I can't confirm when it started, but it reached a peak when people started swiping their friend's unlocked smartphones and posting douchey photo to the owner's Facebook page, along with the text "You've been hacked LOL!"

It's handled by a marketing droid

[93 Escort Wagon]

I wonder how many celebrities don't even have access to (ostensibly) their own social media accounts?

Also, who cares about Ringo Starr in 2016?

Re:

[Lunix Nutcase]

Probably quite a lot of them. You don't actually think celebrities are making all those posts to Facebook and Twitter themselves, right?

Re:

[ShaunC]

I dunno. If Kanye isn't making his own Tweets, he ought to fire whoever he has doing it for him.

Re:

[CanEHdian]

Well at least we know Kevin Hart is doing his own tweets! [gawker.com]

Re:

[judoguy]

Also, who cares about Ringo Starr in 2016?

Rory and the Hurricanes [youtube.com] is as sweet a pop song as anyone puts out today.

E-mail is the universal key

[Shawn Willden]

I occasionally run into people who don't believe they need to be very careful with their e-mail security, because "it's only e-mail, it's not like my bank account or anything". But given that virtually every other online account you create uses e-mail to manage password reset, it is your bank account. And everything else.

Use a good password on your e-mail account, and enable two-factor authentication. If your e-mail provider doesn't offer 2FA, or offers a form of it that's too inconvenient to use, get a better e-mail provider. #emailmatters

Re:E-mail is the universal key

[Anonymous Coward]

#emailmatters

#hashtagsareretarded

Re:

[omnichad]

#emailmatters

#hashtagsareretarded

#itsapoundsignanditisretardedtoo

#icallitanoctothorpeyouinsensitiveclod

Re:

[Blaskowicz]

If you want a better e-mail provider you'll have to pay for it. If you ever get unable to pay (say, unemployment, homeless, prison, war, disease etc.) you're then at a risk of losing it all.
As for 2FA there's no way I'm giving my phone number to $email_provider :). And I have never thought yet about what happens if I lose a phone number tied to a password!

We need some way to be secure without recurring bills. e.g. using Firefox instead of IE was free at least.

Re:

[Gojira Shipi-Taro]

As for 2FA there's no way I'm giving my phone number to $email_provider

Well texts are far from being the ONLY way to get 2FA but beyond that, perhaps you're too paranoid to be on the internet?

Re:

[Shawn Willden]

If you want a better e-mail provider you'll have to pay for it.

Gmail is free, and has excellent security. Better than any paid service I've seen, actually.

As for 2FA there's no way I'm giving my phone number to $email_provider

So, don't use phone-based 2FA. Continuing with Gmail as an example, you can get 2FA via security key (a little USB stick), smartphone app, printed codes (pieces of paper you carry in your wallet), SMS or voice phone. Only the last two involve your phone number. Though I have to wonder... just what do you think $email_provider is going to do with your phone number anyway? And if you don't want them to have it, you'd b

Re:

[N1AK]

Was going to respond with most of the points made in this post, but will now just emphasise that 2FA exists in a number of formats that don't require you to give a mobile phone number. Personally I use Google Authenticator (an app on my phone), backed up by mobile phone SMS (optional), further backed up by a print out of 10 one use codes (I've used two, and keep half in my wallet and half at home).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Mirar]

I use the same scheme, although I'm harder with _everything_ gets their own email address.

Small companies that look at things manually usually get confused when I fill in the email address "smallcompany.com@example.com". One even canceled an order because they didn't believe the email address. (Apologies and rebate though when I told them that yes, that's the correct one.)

I also sort every @example.com in a separate mailbox. If anyone have a good tip of a good imap server/mail reader combo that can handle a

PGP Reset Emails

[mx+b]

I've wondered why services don't allow you to do something like add a PGP public key, and all notifications from that site are sent encrypted to that key. If someone gets ahold of your reset email, well unless they have your private key and passphase, they're still out of luck. Furthermore, legit email notices could be signed by a known public key of the site.

OK, it was a bit rhetorical perhaps, as I know not many are familiar with PGP to use it. Outlook doesn't support it out of the box so that cuts out a

It's a business solution, not a technological one

[Etherwalk]

I've wondered why services don't allow you to do something like add a PGP public key, and all notifications from that site are sent encrypted to that key. If someone gets ahold of your reset email, well unless they have your private key and passphase, they're still out of luck. Furthermore, legit email notices could be signed by a known public key of the site.

OK, it was a bit rhetorical perhaps, as I know not many are familiar with PGP to use it. Outlook doesn't support it out of the box so that cuts out a lot of users right there. And even people technical enough to know what its doing don't always like it.

And I guess the problem then would be people saying "I forgot my PGP passphase, please help!". So maybe it wouldn't actually solve much and still be prone to social engineering. But still. In 2016 I would have thought we'd have a better handle on privacy and security.

Because that doesn't make sense from a business standpoint.

2-factor authentication to your phone works for most consumers. For higher-value accounts of celebrities, etc..., people should be able to pay to have password resets confirmed by fedex or by phone call to their IT department/agent/secretary.

Re:

[Lunix Nutcase]

simple solution - expire passwords at random time intervals

Which is itself a stupid policy and has been proven time and time again to only lead users to choosing weaker passwords, writing their passwords down, etc. so they can remember them.

Re:

[Lunix Nutcase]

Don't allow them to set weak passwords. If you allow your users to set weak passwords, expect them to set weak passwords.

Users will set the weakest password you will let them get away with. You can try to set all sorts of arcane rules and yet users will still find ways to make weak passwords.

As far as writing it down goes, you're never going to stop that. I've come across users that wrote down even the simplest of passwords; forcing harder passwords is not going to change that.

Forcing them to constantly change their password is going to KEEP them doing it.

Your argument is worthless as long as we're talking about passwords. Once there is a working replacement for passwords, your argument has merit.

It's only "worthless" if you don't actually really care about opsec. Enjoy your users' accounts being easy to break in to.

This is what you get when...

[sudden.zero]

...Slashdot is moderated by douches that work for a company that knows nothing about Slashdot's culture! God I wish someone would by Slashdot from Dice.

Re:

[rudy_wayne]

lol

Good one.

Was his password....

[unixisc]

.....Ob-la-di-ob-la-da?

Curious

[ajarin]

Wah... How could it be happen?

So much for the new management

[DNS-and-BIND]

I had such high hopes for the new management, but it seems a case of "meet the new boss, same as the old boss." This isn't a story, it's not news for nerds, it's not stuff that matters. It's not even a hack. It even involves Twitter, which gives it negative points. What are we supposed to learn from this? Secure email accounts that don't belong to you? For a former celebrity who doesn't even use Twitter?

Re:

[whipslash]

We hardly knew ye

Re:

[whipslash]

That's not what I'm saying. I am just saying if someone voices their opinion with the subject line "who the fuck cares", I'm going to put less weight on that than someone who voices it thoughtfully. The OP in this thread was more thoughtful than some other commenters.

Re:

[Gojira Shipi-Taro]

As well you should. I see so much noise from so-called "old timers" who think they're the end-all be-all of defining what /. should be. Like not reading an article that you can see from the title isn't to your taste is a fucking burden.

I can tell that you guys are trying. It's one reason I'm back after several years of not bothering to check this place at all.

As long as you guys can keep the shitposts down, I think we're good.

Re:

[whipslash]

Thanks for the support!

Re:

[whipslash]

No I've been logged in all day. To declare your hopes dashed because of a story, or a few stories, that you don't think fit the ethos of the site is a little premature. We are working on it. It's only been a few weeks. Give us time.

Re:

[whipslash]

My intention is for it to equate to, as I've said multiple times, "we hear you and we are working on it.. Bear with us while we improve." I read criticism all day long, be it founded or unfounded. We hear you. We are working on improving. Rest assured I read every single comment. I just think energy might be better served with a productive discussion on the story, or discussing another story you actually like. Your gripes about editorial are well noted at this point and I am working with editors.

Re:

[whipslash]

We're working on improving editorial as well as everything else. Sorry if I came off as abrasive but I read enough criticism in a day to last me a life time.

Re:

[DNS-and-BIND]

Well, you fired those two worthless losers when you arrived, which was a great breath of fresh air. There's still one left, who apparently thinks that the word "hack" plus the word "Twitter" equals "Slashdot story". How many weeks do you need to stop posting stuff like this? I volunteer to start picking out stories instead of timothy. I'll do it for free, too. As a bonus, my stories will not repeat themselves in the same 24 hours, I will use a spell checker, and I will explain unfamiliar concepts and a

Re:

[whipslash]

Submit them into the firehose and let them get voted up. The firehose is where you can give your vote on which story we should pick. We will also be incorporating stories that will auto post to the front page from the firehose when they reach a critical mass of popularity, including requirements such as a certain amount of votes from high karma users, users with old accounts, and other filters like an enhanced dupe checker. You have a low user ID and high karma so your votes will matter greatly. To answer y

Re:

[DNS-and-BIND]

Sorry, I react poorly to people to whom I perceive have flipped me the bird verbally.

In the past, the firehose has been roundly ignored when it votes up inconvenient stories like the Albright "burn in hell" story. Thus, me and a lot of other people stopped using it a long time ago. Try renaming it to something other than 'firehose' and tell us that it'll auto-post no matter how damaging the topic matter is to the Democrats.

Re:

[whipslash]

We're not going to rename it but I'm telling you right now it will auto post anything that meets the vote requirements, no matter the topic. It will be live in the next week or two.

Re:

[DNS-and-BIND]

Well! I'll believe it when I see the first anti-SJW story or the first pro-Trump story. If you really believe in the users, that will show it. I get the feeling that the story will be shitcanned shortly after appearing though, either by your order or by some higher up Dice.com manager. Dice is pretty hard left and you don't see inconvenient truths unless they support their side of the story.

Re:

[Gojira Shipi-Taro]

There's not going to be a pro-Trump story because that prick has no one's interests at heart than his own. If you're looking for "Fox News" style "fair and balanced" you can fuck right off to your fascist hacienda and die.

By your imaginary "news for nerds" filter, how would a pro-Trump story even be a thing here? You're a bit of a prat.

Re:

[whipslash]

We won't can the story based on its political leaning. Also you do realize Dice is no longer the owner of Slashdot right?

Re:

[DNS-and-BIND]

Oh, right. LOL. Have to learn the customs of the new boss. That's a demerit!

Re:

[Gojira Shipi-Taro]

No you just have to learn the customs of a sane community. Raging at "the man" without a point of reference is seldom productive.

Re:

[DNS-and-BIND]

Imaginary news for nerds filter? WTF? It is the founding statement of the website. It's why we're all here. By nerds, for nerds. I am seriously having a problem comprehending how you don't know this.

If you have a problem tolerating people who think differently from yourself, you fit all the criteria in this article. Here is a particularly damaging excerpt that describes you to a T:

Another characteristic of the new upper class - and something new under the American sun - is their easy acceptance of be

Re:

[whipslash]

Would also like everyone's opinion here regarding videos on Slashdot: https://slashdot.org/poll/2973... [slashdot.org]

Re:

[Gojira Shipi-Taro]

And I react poorly to people that think that they alone represent the filter through which "News for Nerds" should pass. There's so many of you grognard assholes. Get the fuck over it. The new ownership does seem to care. They just don't have to specifically care about YOU.

Peace and Love, Peace and love!

[Lumpy]

it's not like a celebrity has any different security than normal people.

But it's still funny.

Re:

[Lunix Nutcase]

Ringo isn't even involved. As stated, this was someone breaking into the email of the guy who runs Ringo's Twitter account.

Where's the IT angle?

[tetraverse]

“The questions asked were his birthday and name of his nephew, both easy to find with Facebook. I was surprised when I entered the answers and it actually succeeded first try.”

Motive

[BlueBiker]

Uh-oh, hope Pete Best has an alibi :-/

useful?

[Mirar]

Can I use this "hack" to get my old, bot-stolen (because I obviously didn't care back then), twitter account back?

Re:

[whipslash]

move along then

Re:

[whipslash]

No

Re:

[whipslash]

Oh we're listening. Just not to the AC posting "who the fuck cares" when the majority of comments here are actual good discussion. No one's stopping you from spewing venom from your pulpit of anonymity though so keep on keepin on

Re:

[whipslash]

Beatles are Z-List celebrities. Noted. And I was just saying bluntly you should move along if you're not interested. The majority of commenters here are.

Re:

[whipslash]

Good talk. See ya out there