FC Barcelona Suffers Likely Credential-Stuffing Attack on Twitter

OurMine took over the Spanish powerhouse soccer team’s Twitter account.

Just ahead of its Champion’s League Round of 16 appearance next week, FC Barcelona’s official Twitter account was hacked in an apparent credential-stuffing attack. The strike resulted in account takeover and bogus tweets being sent out.

The hacking collective known as OurMine, which made headlines for taking over official Twitter accounts for 15 different NFL teams in January, took credit for the attack on Saturday. This is the second time that “Barca” (as the Spanish powerhouse is affectionately known) has been an OurMine target: The group took aim the Spanish team back in 2017 as well, attacking its Twitter and Facebook pages.

OurMine claims to hack sites with good intentions, to help targets “improve your accounts security” as it said in one of the tweets (now deleted). It also claims to choose its targets at random. However, the group does appear to do its homework on its targets. One of the tweets in this case included an intimation that Brazilian star Neymar Jr. will return to the club. He left FC Barcelona to play for Paris Saint-Germain back in 2017, and the rumor mill has been circulating the idea that he could rejoin Lionel Messi and Luis Suarez on his old team this summer.


“FC Barcelona’s Twitter accounts have been hacked, which is why messages from outside our club have appeared, and which have been reported and deleted,” the team announced on Twitter once it regained control of its social-media presence (Twitter quickly reset the accounts). “The tweets were made through a third-party tool for data analytics.”

OurMine itself confirmed that a third-party platform was indeed to blame.

“We accessed it by security issues on … employees, which allowed us to access the third-party app,” the group told Business Insider.

FC Barcelona said that it “will conduct a cybersecurity audit and will review all protocols and links with third-party tools, in order to avoid such incidents and to guarantee the best service to our members and fans.”

Account takeover attacks typically leverage credential stuffing, which is an automated, bot-driven process that takes advantage of the fact that users who often reuse the same passwords across multiple online accounts. Security firm ESET noted in a posting this week that this is likely what happened to FC Barcelona.

“Using leaked or stolen access credentials from data breaches, the bots will then hammer the sites with multiple login attempts until one of the combinations pans out,” the firm explained.

Credential-stuffing has been on the rise thanks to several large-scale credential dumps online, and several high-profile companies have fallen victim to it, including Dunkin Donuts and State Farm. One common recommendation is to implement multi- or two-factor authentication (MFA/2FA).

“Facebook, Instagram and Twitter all offer several 2FA methods,” ESET noted. “The second authentication factor offers a valuable additional layer of protection in exchange for very little effort.”

“While multi-factor authentication (MFA) is not foolproof, it causes a significant amount of additional work for the attackers so they are more likely to move on to easier targets,” said Erich Kron, security awareness advocate at KnowBe4, via email. “It’s like the thieves walking through neighborhoods at night checking door handles on cars. If the door is locked, they move on, looking for one that isn’t.”

Roger Grimes, data-driven defense evangelist at KnowBe4, however cautioned that using this protection isn’t completely effective, given that human weaknesses can always play a role.

“Enabling multi-factor authentication can help reduce the risk of data theft, but isn’t a 100-percent protection,” he said via email. “Any MFA solution can be hacked. I can hack different MFA solutions 48 different ways and any particular solution at least six different ways. So, while it is usually good to recommend that people use MFA to protect their confidential information it’s just as important to educate them that MFA isn’t 100-percent effective. They still have to be aware that phishing emails can bypass their MFA devices and getting tricked into going to a fraudulent website is very likely damaging without or without MFA being used.”

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.


Suggested articles