On Sunday evening, the LinkedIn page for McAfee was hijacked by a single person or an unknown number of individuals who apparently watched Twitter for reactions. The business page was defaced with random remarks, and at one point made a passive reference to a Twitch hack in 2016. (See update at the bottom of this story.)
The LinkedIn defacement happened around 9:30 p.m. EST on Sunday evening. McAfee recently announced some changes to the company, including a return to its original name after being acquired by private equity firm TPG.
How the individual(s) obtained access to McAfee's LinkedIn account is unknown, though someone claiming a connection to the incident says the key was recycled passwords.
Once word of their defacement started to spread however, those responsible for the hijacking watched Twitter for reactions and made comments on the McAfee LinkedIn page in response.
They also changed the company logo to a well-known meme after it was referenced on Twitter.
Another update to the hijacked McAfee LinkedIn page (deleted shortly after being posted) referenced a Gmail account used during the takeover of a Twitch account in 2016.
At the time BlackDotATV was compromised by someone during a broadcast. Taunting the channel owner, Dominik "Black^" Reitmeier, the person responsible told him to email the Gmail account for instructions on how to secure his account.
Salted Hash reached out to McAfee for comment. The company issued a brief statement on the matter, but wouldn't comment further:
"As soon as we became aware of the issue, we quickly worked with LinkedIn to resolve it. The McAfee page has been recovered, and we have taken action to avoid a future incident of this kind."
We reached out the referenced Gmail account as well. The person who responded claimed they were previously part of OurMine, a group that claims to be a security company, but promoted their services by compromising other high-profile social media accounts.
The person said Sunday's McAfee hijack was possible due to recycled credentials, and that two-factor authentication was not enabled on the account. McAfee, the person said, was "a small hack, the first of many."
"They're going to gradually get bigger and bigger. Keep an eye on the twitter accounts of many high-profile companies, that's all I'll say."
The takeover lasted for just over half-n-hour, until LinkedIn pulled the whole McAfee page. However, the changed logo propagated to many staff accounts, and were still present even after the business page was removed.
Shortly after this story was posted, a person going by the handle "Monarch" contacted Salted Hash with additional information. This individual also goes by "Monarch" on OGFlip, the forum reporting that LeakedSource was raided by law enforcement earlier this year.
After some conversation, Monarch put us in touch with the person who is claiming credit for the McAfee hijacking. This individual, who asked that they not be named, said the McAfee LinkedIn hijacking started out as an attempt to take over a two-letter Twitter account.
The Twitter takeover failed, but the password originally believed to be linked to the account turned out to be the person's LinkedIn password. Salted Hash will not name the two-letter account, or the person who owns it. However, their password was discovered in the LinkedIn data breach records.
It was the compromised LinkedIn password that enabled the McAfee hijacker access, as the victim's LinkedIn account was listed as an administrator on the McAfee company page.
Until McAfee comments, there is no way to prove this person's claims, but the methodology and the OurMine references made by them were worth noting.
This incident highlights not only the risks in shared admin access on social media, it also serves as a reminder that passwords should be changed if they've been compromised. This is also true if there is a chance the password has been compromised by a large data breach like the one LinkedIn experienced in 2012.
Since the compromised records were exposed to the public, the LinkedIn data breach has been tied to several incidents in the years that followed. In many of the cases, it was the usage of recycled credentials that enabled the attackers.