Sundar Pichai-Google IO 2016

Update: July 9: OurMine has just claimed another new victim: this time the man that sent the world’s first tweet: Twitter founder and CEO Jack Dorsey.

Original post, June 27: Less than a month after Mark Zuckerberg and Spotify boss Daniel Ek had various social media accounts hacked, Google CEO Sundar Pichai has joined the club. A three-man “security team” from parts unknown, OurMine is making a name for itself by hacking high-profile social media accounts and leaving its tell-tale calling card. This weekend’s target? Pichai’s Quora account.

Pichai’s Twitter account started spouting OurMine’s standard manifesto late Sunday night: “Hey, it’s OurMine, we are just testing your security, please visit https://ourmine.org to upgrade it”. It turns out that it was actually Pichai’s Quora account that was hacked and the tweets had been sent automatically. A few hours later Pichai’s accounts were back under his control and the hacked comments and tweets were deleted.

When you’re the CEO of Google and a social media account gets hacked, it’s embarrassing, but not as embarrassing as when you’re the CEO of the world’s largest social network and multiple accounts get hacked. Especially when your pathetically simple password also gets divulged.

Mark Zuckerberg was a previous target of the group, who revealed that his password for Twitter was “dadada”.

Mark Zuckerberg was a previous target of the group, when they gained access to his Twitter and Pinterest accounts three weeks ago. As if having multiple accounts hacked at the same time wasn’t bad enough, OurMine revealed that his password for Twitter was “dadada”. It didn’t make the list of 2015’s worst passwords but it’s gotta be up there.

Meanwhile, Spotify’s Daniel Ek got hacked late last week and other high-profile hacks include musicians David Guetta, David Choi and DeadMau5, YouTubers Pewdiepie and Markiplier, former Twitter CEOs Ev Williams and Dick Costolo, Twitter founder Biz Stone, and actors Channing Tatum and Sawyer Hartman. In each case, OurMine offers to perform a security upgrade for their victims.

OurMine Sundar Pichai Quora hack

According to their site, this scan of a person’s or company’s security can cost up to $5,000 and has already reportedly earned them $16,500. Whether you consider hacking someone’s account and then charging them money to regain control over it to be extortion, the group hasn’t been arrested yet, despite the very deep pockets of the people they are targeting.

As for how they are managing the hacks, some security experts think they simply bought a database containing millions of LinkedIn passwords hacked in 2012. The list is being offered on the dark web for as little as five Bitcoin ($2,200). Because may people re-use passwords, OurMine are supposedly just targeting other social media accounts of high-profile users.

OurMine has denied this is the case, claiming to be using various exploits and unknown “zero day” vulnerabilities. They also seem to be perfectly polite when a victim gets in touch to “upgrade” their security. When they hacked Minecraft creator Markus “Notch” Persson’s account, he thanked them publicly for a pleasant conversation.

Whether the team will eventually be tracked down and prosecuted, or whether their seemingly innocuous exploits (pun fully intended) will continue to go unchecked, I highly doubt this is the last time we’ll hear of them.

Have you ever been hacked? Do you re-use the same passwords?