Celebrities and executives continue to have their social media accounts compromised by enterprising hackers. The latest victim is Google CEO Sundar Pichai, who had his Quora and Twitter account compromised on Monday.
The hack was performed by OurMine, an online security outfit that has a penchant for hacking well-known people. One of OurMine’s operators told the Daily Dot they were able to gain access to Pichai’s Quora account by exploiting a vulnerability in the question-and-answer website. Once they were into his Quora account, the group was able to post on his Twitter account, which was linked to Quora.
According to OurMine, the group reported the vulnerability to Quora so that it could be fixed. The group claims to have no intention to act maliciously and doesn’t change passwords on accounts it accesses, but rather just wants to raise awareness of risks.
“We are just trying to let them know that nobody is safe,” a member of OurMine told the Daily Dot, “and if we didn’t do that other hackers are gonna hack them.”
Earlier this month, the team took over the abandoned Twitter account of Facebook CEO Mark Zuckerberg after the password to his LinkedIn account was revealed in a dump of login credentials to the work-centric social network that were taken in 2012.
OurMine also has reportedly hacked a variety of other major players in the tech industry, including Amazon CTO Werner Vogels; Spotify CEO Daniel Ek; and Randi Zuckerberg, businessperson and sister to Mark Zuckerberg.
Quora told the Daily Dot that the break-in to Pichai’s account likely resembled the Zuckerberg incident, in which a password leak compromised the account and was not caused by a security risk in its own platform.
“We are confident that Sundar Pichai’s account was not accessed via a vulnerability in Quora’s systems. This is consistent with past reports where OurMine exploited previous password leaks on other services to gain access to accounts on Twitter or Facebook,” the spokesperson said.
“We recommend that people use unique passwords for accounts on different services, so that a security breach on one service does not lead to attackers gaining access to accounts on other services,” the spokesperson explained. “Safeguarding our users is very important to us, which makes security at Quora one of our highest priorities.”
Quora also claimed to have “no record of a report by OurMine pointing to a vulnerability,” despite OurMine’s claims.
An OurMine representative provided two screenshots to the Daily Dot that appear to show the group did in fact file a report to Quora via the bug bounty program platform Bugcrowd. According to the screenshots, the report was filed on Saturday and is “still being assessed.”
Further, OurMine claims that it never even had access to Pichai’s password. The group claims to have discovered an exploit on Quora using web debugging tool Fiddler 4. Once they got into his Quora account, they were able to post to Twitter through Quora, but never used a password to enter either accounts.
Whether OurMine used stolen credentials or a vulnerability to get into Pichai’s account, the incident did appear to stem from access through Quora. Users who have other social media accounts linked to Quora may want to update their settings to either revoke permission to post via Quora or delink entirely.
Users can perform this by opening the Settings menu on Quora. Under the Profile menu, any linked accounts should be displayed, as well as related settings. From here, users can toggle settings or remove the linked accounts.
At the time of publication, Google is not offering comment on the incident.