Exactly how their accounts were compromised is a lesson in the basics of password hygiene; we think they'd know better than to reuse old, simple passwords across different services -- apparently not? The why of these high-profile compromises is an ongoing story of low-level crime and extortion reminiscent of pickpockets at a traveling quack-doc medicine roadshow.
Unlike other groups, OurMine isn't a hacktivist collective doing it to right any social wrongs, a "leet" hacker earning their reputation or a Crimean crime ring having some lulz in between running illicit botnet-for-hire operations for despotic governments. It's just hackers who've decided to make a "security company" out of their attacks. A company that's hitting PR home runs every time it brags about taking over yet another CEO's account.
The group appears to be combing file dumps from recent high-profile breaches for tech CEO names and trying out their old passwords on different services to see what works. If the old password has been recycled and is still valid, OurMine then takes over the account. For example, some of the passwords they're cross-matching appear to be from the 2012 LinkedIn break-in, which surfaced in May as a database for sale.
In the case of Google's Sundar Pichai, OurMine took over his Quora account, claiming to have notified Quora of a security hole. Quora, however, told Engadget that no such report was made, which is just as well, given the intrusion was possible only because of password reuse, anyway. Once OurMine had access to Pichai's Quora, it was then able to get into his Twitter account simply because they were linked.
When OurMine hits pay dirt like this, it starts by posting from the victim's account, usually followed by a sensational blog post on the group's homepage. The OurMine website proudly features screenshots of numerous hacked accounts it's allegedly taken control of.
Each takeover is accompanied by finger-wagging on its blog about following better security practices -- it's all part of a carefully orchestrated act dressed up as a well-intended cautionary tale. Then OurMine conveniently mentions it just happens to be selling services that offer some kind of better protection. None of which addresses the fact that password reuse is an inherently human issue.
That's right: All these CEOs have been hacked by a group that claims to be doing it to make people more secure, but are actually selling a security product. It's like someone taking your wallet out of your open bag in a cafe, and then offering to sell you a wallet chain, but only after telling the whole cafe how they took your wallet. What's worse, many media outlets keep falling for it, while failing to point out the group's business agenda.
We already mentioned OurMine hijacking the social accounts of high-profile CEOs, but the company doesn't stop there. It has also pulled its cyber-snake-oil routine on many other names with wealth and status, including VCs Mark Suster and Vinod Khosla, Spotify founder Daniel Ek, Randi Zuckerberg, Amazon Chief Technology Officer Werner Vogels, Matthew Inman ("The Oatmeal") and even "Magic Mike" actor Channing Tatum.
I'll be honest. For me, most of those names fall into the category of privileged upper-class douchebags whose contributions to our struggling, open internet are, in terms of social issues and censorship, more negative than positive. But when they got to Channing Tatum, the altruistic bringer of sexypants hotness and happiness to all who love a fine male form, all bets were off. And they hacked and ridiculed The Oatmeal!? OurMine, you done us wrong.
So what are OurMine's products anyway? What's the "miracle cure" these hacker docs are selling?
If you believe the company materials, OurMine offers "top-notch vulnerability assessment." Its "About" page states that it is "an elite hacker group known for many hacks" that identifies as white hat hackers. "We are experienced in many fields of hacking and can crack anything from a network to a social media account." They explain, "Not only will we give you access to all your accounts again, we will give you future security tips and assist you with securing your account to it's[sic] maximum potential."
Indeed. The OurMine team also uses its Twitter account to showcase retweets of people. Just normal, not-famous people, grateful that OurMine gave them back access to their accounts after takeover. Customer satisfaction right there?
Victims/customers can choose from four services. Each of them talks of "scans," with very little explanation or technical details of what's actually involved. When we asked what exactly a "scan" entails, OurMine told Engadget, "We will scan all of his accounts and try to hack it for him, if we wasn't[sic] able to hack it we will refund him, but of course it's[sic] should be his own account."
The services offered all have vague names. "Social Media" will "scan" Facebook, Twitter, and Instagram and costs $30. "Websites" in which they "scan website for any vulnerability" is $1,000. There's also an ongoing service called "Accounts: All Websites" where OurMine does something beyond understanding called "Scan your accounts for all websites" -- whatever that is, it costs $150 a month.
Naturally, OurMine doesn't just cater to individuals. For a mere $5,000 you can buy what looks to be the OurMine enterprise package, where you'll get "Scan all staff members in the company; Scan websites of the company," and something left to interpretation called "Scan application."
It's all prepaid, of course, via PayPal for your convenience.
Sadly, as long as humans remain fallible, this racket might be one that's likely here to stay. Unless someone decides to take legal action, that is. What OurMine is doing very likely violates the Computer Fraud and Abuse Act (CFAA). The CFAA is a broad anti-hacking statute that criminalizes unauthorized access; it is the same statute at issue in a recent ruling that puts acts like sharing passwords on your Netflix account into federal crime territory. Not to mention that the bit where OurMine offers their paid services to "secure" people's accounts may also count as extortion as per California Penal Code Section 518-527.
If there's one takeaway for you and me, though, it's that we need no further proof that all those hacked databases are actively being picked over and used to hijack accounts. So much so it's become a business. So, unless you want to be the next person having their "gratitude" retweeted by OurMine, go do a password inventory, set up two-factor, and disconnect old services that have access to your accounts already.
Images: David Paul Morris/Bloomberg via Getty Images (Sundar Pichai, Google); OurMine (About page screenshot)