New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


OurMine Continues Return to Activity With Attack on Facebook’s Twitter Account


The self-proclaimed security group OurMine has struck again, this time targeting Facebook. The group compromised Facebook’s Twitter account this time instead of directly targeting Mark Zuckerberg as they did in 2016. As with their previous attacks, the group abused the compromised Twitter account to publish a self-promoting message and included their contact information so that Facebook could reach out to them for advice on improving their security. Twitter removed the post but OurMine just replaced it with another message moments later; this back and forth continued multiple times. A spokesman for Twitter did confirm that the account was not compromised directly through Twitter but instead through a “third-party platform.” Based on the tweets themselves that platform appears to have been the social media management site Khoros. Once Twitter confirmed that the account was compromised, it locked the account and began working with Facebook to return control of the account to them.   

Analyst Notes

No information has been given as to how the third-party provider, likely Khoros, was compromised. Based on OurMine’s history, it is likely that password reuse on the part of the account’s managers was to blame. OurMine is well known for exploiting accounts that have reused the same or similar passwords across multiple accounts. Enabling Multi-Factor Authentication (MFA) and using unique strong passwords, randomly generated for each account, is the best way to protect against falling victim to similar attack methods. More information on this incident can be found at