How stolen credentials led to hackers spewing hate on McAfee's social media

By on
How stolen credentials led to hackers spewing hate on McAfee's social media

McAfee chief marketing officer Allison Cerra was about to sit down with her husband for Easter Sunday dinner and Netflix binge-watching when disaster struck.

A text came through to Cerra from Chatelle Lynch, McAfee's chief people officer, but it wasn't warm wishes for the holidays. She told Cerra to check out McAfee's social media page straight away since something bad had happened.

Cerra told attendees at McAfee MPower 2019 that she was confronted with a tapestry of racist, sexist and homophobic slurs as soon as she got onto McAfee's profile page on a social media network, which she declined to identify. The company description for McAfee had been replaced with the most repugnant and derisive of insults directed at nearly every walk of life, Cerra said.

And the timing couldn't have been worse. It was Easter 2017, meaning that McAfee was just 12 days away from spinning out of Intel and becoming one of the largest pure-play cybersecurity companies in the world.

"This would have been embarrassing for any company. But for McAfee … it was downright humiliating," Cerra said Thursday. "It was abundantly clear that our page had been hijacked by a hacker."

Cerra's mind went into overdrive imagining worst-case scenarios like the defacement of McAfee's social media profile actually being an ugly diversion as hackers set their sights on the loot in the company's systems. Fortunately, McAfee's head of digital was quickly able to reassure Cerra that McAfee itself wasn't hacked, meaning that none of the company's data or sensitive assets were at risk.

But there was no disputing that McAfee's company profile on the social media platform had clearly been hacked. The assumptions that Cerra and her team had entering Easter Sunday 2017 around control over the McAfee page on the social media platform couldn't have been more wrong.

"What's worse for me is that the hack happened on my watch," Cerra said. "As CMO, my team was and is responsible for safeguarding the company's presence across all third-party media channels. We had failed to do so."

The bad situation turned even worse when McAfee lost administrative access to its own social media page, Cerra said. When McAfee started deleting the hacker's rogue posts on its social media platform, Cerra said that alerted the hacker that the company was onto him. The hacker responded by locking McAfee out of its own account before the company could do the same to him.

Cerra was therefore forced to go on an "apology tour," contacting CEO Chris Young and every other member of McAfee's executive team and asking them to please confirm that multi-factor authentication had been enabled on their personal social media profile pages.

In the event the attack was a coordinated effort to destroy the reputation of McAfee's leaders in addition to the company brand, Cerra wanted to ensure that the hackers weren't successful. At the same time, Cerra was engaged in a constant back and forth with the social media provider imploring them to please restore McAfee's privileges and give the organisation access back to its own company page.

It turned out that the hack had ultimately occurred using stolen credentials of a former agency employee who was an administrator on McAfee's social media account, Cerra said. McAfee's first mistake was not disabling the employee's privileges when she left the agency, according to Cerra.

The credentials of the agency employees had been stolen when she used the same password across multiple accounts, Cerra said, including the account that gave her administrative access to McAfee's social media page. Cerra said the agency employee should have changed her password as soon as she learned that one of her accounts had been compromised.

Another mistake was McAfee's earnest attempt to delete the rogue posts on its social media before locking out the hacker and regaining control over the account. Cerra said McAfee should have locked the hacker out first, and then taken care of cleaning up his mess.

Finally, Cerra said McAfee erred in not having a formalised escalation process with the social media platform provider. Had McAfee known whom to escalate to and how to effectively resolve the situation, Cerra said the problem likely could have been resolved in minutes rather than several hours.

All told, Cerra said the ultimately preventable hack was yet another reminder that cybersecurity must be part of everyone's job.

"I'm the CMO of one of the world's largest cybersecurity companies, and even I wasn't prepared for what I faced that Easter," Cerra said. "I had taken my eye off ball just long enough for an opportunistic hacker to strike."

Once the dust had settled, Cerra resolved to use what had happened to her as the impetus to educate both technical and non-technical employees on what they can and must do to protect their companies from threat actors. Cerra went about publishing The Cybersecurity Playbook, which is a practical look at what every employee must do to reduce the likelihood of a breach or hack happening at their company.

"I wanted to focus on the people in the equation, the employees who are often unwitting participants enabling bad actors to inflict harm," Cerra said. "We have to know the role on the team in which we all play in order to bolster our collective defenses against the enemy."

Ultimately, Cerra said she dreams of a day when companies defy conventional wisdom and eliminate the boneheaded mistakes that currently make it possible for so many preventable cyberattacks to occur.

"Our enemies should have to work that much harder to find a weak link among us," Cerra said.

This article originally appeared at crn.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © 2018 The Channel Company, LLC. All rights reserved.
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

The channel is a juicy hacking target - are you improving security?
YES - recent attacks on MSPs spurred us to action
YES - we're ALWAYS improving our security stance
YES - we've noticed new forms of attack
NO - we're confident our past efforts are enough, but are always vigilant
NO - we don't see the need for change at this time
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?