Hacker News new | past | comments | ask | show | jobs | submit login
Techcrunch hacked by OurMine
51 points by p0la on July 26, 2016 | hide | past | favorite | 23 comments
They removed the article, but there is still a post on their front page: https://techcrunch.com/

This the version googled has cached: https://webcache.googleusercontent.com/search?q=cache:JP0ef1CueKYJ:https://techcrunch.com/2016/07/26/ourmine-team-important-message/+&cd=3&hl=en&ct=clnk&gl=uk




I have been following the recent hacks by the OurMine group, and find it all fascinating.

If anyone knows more about the group, their motives and how they actually manage to compromise various high profile social media accounts and websites, please do share it here.


>I have been following the recent hacks by the OurMine group, and find it all fascinating.

Just some kids using someone elses tools to search through someone elses database collection. In this case the compromised journos password appears to have been "camus8" or "albertcamus8".

Don't reuse your passwords guys.


Whatever service let someone get away with a 6-character password in 2016 should be put down.


Seems to be done with a mix of compromised (reused) credentials and social engineering. Social media accounts in particular are quite vulnerable to social engineering since they are often tied to mobile devices and it's fairly easy to contact a network operator and set up a forwarding number or request a new SIM card etc which completely bypasses most 2FA solutions.


According to their website [1], they seem to be trying to establish a reputation for pentesting social-media and websites. What better way to garner interest than by hacking a couple major companies?

[1]: http://ourmine.org/


What I don't understand is how they think these "marketing" tactics will establish anything but a negative reputation for their brand. Seems to me like they are happily waving a massive red flag that says, "we break the law all the time and can't be trusted!"


Why can't they be trusted? Because they break the law?


Some people believe if a person breaks one law, they may be more inclined to break other laws.


I was implying the question; does breaking laws makes someone untrustworthy?


Yes, no, maybe. Irrelevant from a marketing perspective. It doesn't matter if you're trustworthy. If you are perceived as untrustworthy, businesses won't want to hire you.


Here's a Wired article from June about them:

https://www.wired.com/2016/06/meet-ourmine-security-group-ha...

The way the article is written, the writers can't seem to be able to get handle on why they hack the places they do and if they're black hats or white hats.


Great piece.

> But OurMine does offer some real security lessons, free of charge: Don’t reuse passwords between sites, set up two-factor authentication, and be aware that linking accounts can lead to unexpected security risks. Your Twitter account, as OurMine has successfully taught Sunder Pichai free of charge, is only as secure as the least-secure account that can post to it.




I managed to capture it 12 seconds after it happened (I am a regular tc reader)

https://goo.gl/5L9y5R


Looks like their post got published to the RSS feed as well. Can't undo that.


Please don't post links to hacked websites. A screenshot would do


They removed the post from their front page.


Don't see a link here, but Techcrunch posted about it in an article:

https://techcrunch.com/2016/07/26/a-hack-by-any-other-name/


I'm guessing they just pwned one of their employees via some kind of social engineering. Nothing to see here.


you say nothing to see here, but compromising high traffic sites with great potential for malware delivery to a large number of users shouldn't be a de-rigeur thing...

The fact that this has become the norm. should be a cause for concern.


WordPress VIP that hosts TechCrunch does require 2FA. Not saying it could not have been social engineering, but the usual dumb methods may not work.


The most popular method at the moment seems to be SEing phone companies into transferring the account to a phone owned by the attacker, therefore bypassing 2FA.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: