On Monday, fans of the Chicago Bears on social media might have been taken aback to hear through the American football team’s Twitter account that the team traded its star player for just 1$ and had been sold to Turki Al-Sheikh, an official in the Saudi Arabian government. This “fake news” was the result of a series of cyberattacks propagated by OurMine, a Dubai-based hacking collective, right before Super Bowl Sunday.
Over Monday and Tuesday of this week, OurMine compromised the social media accounts of over a dozen popular American football teams, the NFL, the UFC, and ESPN. According to the BBC, the group changed profile pictures and headers and posted tweets through the compromised accounts, including one that announced that the collective had returned “to show people that everything is hackable” and encouraging viewers to find out more about the organization through email, Twitter, or visiting its website.
Pulling stunts like this is on-brand for OurMine. Before internal matters led to its temporary dormancy after 2017, the group claimed responsibility for hacking the social media accounts of HBO, Buzzfeed, big names in tech, like Facebook’s Mark Zuckerberg, Twitter’s Jack Dorsey, and Google’s Sundar Pichai. On its website, the collective claims that it is dedicated to “white hat,” or ethical, hacking focused on account privacy and security.
OurMine’s mission is nominally consistent with a growing interest in white hat hacking for privacy protection as more of our devices are being connected to the web. White hat hackers are usually invited by new sites, companies, and governments to try to hack systems, making their activities legal. Others have broken into smart home devices unlawfully but to warn consumers about the system’s vulnerabilities. During the 2018-2019 Pewdiepie vs. T-Series YouTube battle, a fan of the Swedish online personality used the open network ports of 50,000 internet-connected printers to have them print messages encouraging the reader to “Subscribe to Pewdiepie” and update their printer’s security.
But the recent OurMine attack doesn’t draw attention to a specific venerability of social media. The method of breaking in, a compromised third party platform, was specifically tailored for the teams and companies and is likely a non-issue for social media users at large. That might have been fine if OurMine had been invited to probe the security of these social media accounts, but the group acknowledged in a statement to NBC that this was not the case, and that when they tried to contact their targets before tweeting from the compromised accounts, their messages were unanswered.
Given the lack of an invitation and a widespread security breach over which to raise awareness, OurMine’s activities seem less focused on giving insight into problems than marketing themselves as the solution, self-promoting by means of publicly embarrassing companies and individuals at optimal times. It’s a funny publicity stunt and an interesting advertising model, one that has no doubt been complicated by swift actions from the hacked accounts to remove OurMine’s content and Twitter’s decision to suspend the collective’s account on the platform. Yet, it lacks the altruism that has justified ethical hacking in the past, causing us to wonder whether this white hat hacking is just another shade of grey.