The X/Twitter account of Google’s Mandiant cybersecurity service has been taken over by a hacker who is seemingly promoting a cryptocurrency scam.
The incident happened very early Wednesday morning, Eastern time. As of Wednesday afternoon, the account called Mandiant was still run by an operator called ‘Phantom.’ Messages posted refer to “token prices” and include a link to an app.
“We’re looking into it,” Mark Karayan, Mandiant’s media communications lead for threat intelligence, told IT World Canada. “It’s definitely been taken over … We’re working to get it resolved.”
Karayan couldn’t say how the incident happened.
Google acquired Mandiant in 2022 for US$5.4 billion. Mandiant had been owned by FireEye, but was spun off after the parent company admitted in February 2021 that a threat actor had compromised the firm and made off with FireEye cybersecurity tools.
Google has been one of the leading IT suppliers pushing organizations around the world to adopt multifactor authentication (MFA) as an extra step to protect logins not only to its services, but also for any network-linked service. Google staff have had to use MFA for years. Since 2017, all Google employees were forced to adopt Google’s Titan key-based MFA to ensure staff aren’t victims of phishing attacks in which a victim is directed to a fake login site where their username and password can be copied.
It isn’t known if staff who had access to the Mandiant X/Twitter had to use security keys, which are USB sticks that have to be physically plugged into a computer to provide an extra login factor for access.
Still, experts note that, unless MFA systems are set up properly, hackers may be able to get around them by convincing IT support staff to reset passwords. If done through a man-in-the-middle attack, a hacker can get hold of a user’s session cookie to take over access.
Perhaps by coincidence, the takeover of the Mandiant account this week comes with the revelation that the X/Twitter account of a Canadian senator was temporarily captured by a hacker.