BLACK HATS HACK for espionage, crime, and disruption. White hats hack to defend, digging up security vulnerabilities so that they can be fixed. And then there are the confusing ones: hackers whose black hats are covered in the thinnest coat of white paint, or so patchwork that even they don’t seem to remember which color they’re wearing.
Over the last couple of weeks a group calling itself OurMine has established itself as prominent members of that third category. Late Sunday night, the OurMine team claimed credit for compromising the Twitter and Quora accounts of Google CEO Sundar Pichai, posting messages reading “hacked” and “we are just testing your security” to his half-million followers. Pichai is just the latest target of the group, which on Monday also hacked VC Mark Suster, and has already hit the Twitter accounts of Mark Zuckerberg, his sister Randi Zuckerberg, Spotify founder Daniel Ek, Amazon CTO Werner Vogels, and actor Channing Tatum.
OurMine even goes so far as to brag about each of those hacks on its website OurMine.org. And yet on that same site, it styles itself as a “Security Group,” offering personal and enterprise security checks, with a $1,000 Paypal price tag for a website scan, and $5,000 for a full company audit.
In a conversation with WIRED, one anonymous member of the group insisted that OurMine’s string of tech exec embarrassments is only its way of teaching us all a helpful lesson. “We don’t need money, but we are selling security services because there is a lot [of] people [who] want to check their security,” he wrote in less-than-perfect English, declining to offer his name or the location of what he described as OurMine’s three-person team. “We are not blackhat hackers, we are just a security group…we are just trying to tell people that nobody is safe.”
The OurMine representative added that the group hadn’t changed any of the passwords of the accounts it compromised—a polite touch it claims shows its benign intentions. But if their goal is to offer security warnings, why not privately inform the targets of their hacks of their vulnerabilities? “They will ignore us, so we should prove it,” the OurTeam spokesperson protests. “We didn’t do anything wrong.” (He did note, however, that the group changes its IP addresses “every minute” to keep ahead of law enforcement.)
The anonymous member of OurMine says that the group was able to gain control of Pichai’s Twitter feed through the CEO’s Quora account; the two were linked to allow easy tweeting of Quora posts. He then claimed that OurMine hacked Pichai’s Quora account using a web vulnerability that it’s since reported to Quora. But a Quora spokesperson says it has no record of any vulnerability report from OurMine, and that it’s “confident that Sundar Pichai’s account was not accessed via a vulnerability in Quora’s systems.”
Instead, the company believes Pichai’s account was hacked due to his reusing a password that was exposed in one of the many recent dumps of credentials on the dark web—the same problem that led to Mark Zuckerberg’s Twitter account hack earlier this month. As for OurMine’s other hacks, the group’s representative said that it had hacked Amazon’s Werner Vogels and Randi Zuckerberg by exploiting a vulnerability in their Bit.ly accounts, which were also linked to Twitter. But Bit.ly also denied in a statement to WIRED that the hacks had exploited vulnerabilities in its site, blaming compromised passwords.
In fact, it’s worth taking all of OurMine’s claims with a heaping dose of skepticism. The OurMine member claimed, for instance, that the hackers have already collected $18,400 in fees for security services they’ve performed for willing clients. But when WIRED requested evidence of those transactions, he sent a screenshot from the group’s PayPal account that appeared to be doctored: It showed $5,000 payments from the companies Conversely and TruthFinder, but Conversely tells WIRED it never paid for any such “security” service. “The screenshot is fraudulent—we have never heard of OurMine until now, and would definitely never purchase such a service,” Conversely spokesperson writes. TruthFinder didn’t immediately respond to a request for comment.
All of that suggests, if it weren’t already clear, that those seeking a security audit should probably not engage a group of anonymous, lawbreaking Twitter-defacement artists. But OurMine does offer some real security lessons, free of charge: Don’t reuse passwords between sites, set up two-factor authentication, and be aware that linking accounts can lead to unexpected security risks. Your Twitter account, as OurMine has successfully taught Sunder Pichai free of charge, is only as secure as the least-secure account that can post to it.