Cyber Incident Victim: McAfee
Date:
Apr 2017
Location:
United States of America
Summary
The McAfee LinkedIn page was compromised via recycled credentials from a prior data breach, leveraging an administrator account with a reused password and no two-factor authentication. Attackers defaced the page with random remarks, referenced a historical Twitch compromise, and altered the company logo to a meme while monitoring Twitter reactions. The hijacking lasted approximately 30 minutes before LinkedIn intervened, though logo changes persisted on linked staff profiles. Perpetrators claiming ties to the OurMine group cited credential reuse as the entry point and hinted at targeting additional high-profile accounts. The incident underscored risks of shared administrative access and password recycling following major breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 16, 2017, at approximately 9:30 PM EST, McAfee’s LinkedIn business page was compromised by an individual or group who defaced the account with random remarks and altered the company logo to a well-known meme. The attackers monitored Twitter reactions during the incident, adjusting the page content in response to social media activity. One post referenced a 2016 Twitch account takeover involving a Gmail address used to taunt Dominik "Black^" Reitmeier during a channel compromise. The hijackers, who claimed affiliation with the group OurMine, accessed McAfee’s LinkedIn account using recycled credentials from a victim whose compromised password—exposed in LinkedIn’s 2012 data breach—remained unchanged. This victim’s LinkedIn account held administrative privileges for McAfee’s page, enabling the takeover. The attackers initially targeted a two-letter Twitter account but failed, discovering the LinkedIn password during their efforts. The hijacking lasted approximately 30 minutes before LinkedIn removed McAfee’s page, though the altered logo persisted on some staff profiles even after the main page’s deletion.
McAfee responded by collaborating with LinkedIn to regain control of the page, issuing a statement confirming resolution and implementation of measures to prevent recurrence. The company declined further comment on the breach mechanism or attacker claims. The hijackers asserted that two-factor authentication was inactive on the account and described the incident as a precursor to larger compromises targeting high-profile corporate Twitter accounts. While McAfee did not verify these claims, the attackers’ reference to OurMine’s prior social media compromises and their methodology aligned with known credential-reuse tactics. The incident exposed risks associated with shared administrative access to social media accounts and highlighted persistent vulnerabilities stemming from password recycling years after major breaches. Impacts included temporary reputational damage from public defacement, operational disruption during the takedown, and residual visibility of the modified logo across employee profiles despite containment efforts.