Cyber Incident Victim: Philadelphia Eagles
Date:
Jan 2020
Location:
United States of America
Summary
The OurMine hacking group compromised several NFL teams' and the league's social media accounts, including Twitter, Facebook, and Instagram, gaining temporary unauthorized access. The attackers used the platforms to promote their group and demonstrate security weaknesses, affecting accounts with tens of millions of combined followers. This incident followed prior breaches of high-profile individuals' accounts, highlighting vulnerabilities in social media security practices. Control was restored within hours, but the hijackings underscored risks associated with inadequate account protection measures across prominent organizations and public figures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 22, 2020, the hacking group OurMine resumed public activity after a hiatus since 2017 by compromising high-profile social media accounts, beginning with Facebook co-founder Eduardo Saverin's Twitter account. This marked the first confirmed attack in their 2020 campaign targeting celebrities, athletes, and sports organizations with large followings. Between January 22-27, the group systematically hijacked accounts across Twitter, Facebook, and Instagram, culminating in coordinated attacks against multiple National Football League entities. The NFL's official Twitter and Facebook accounts were compromised alongside six teams: Dallas Cowboys (Instagram/Facebook), Buffalo Bills (Instagram/Facebook), Houston Texans (Facebook), Minnesota Vikings (Instagram/Facebook), Kansas City Chiefs (Twitter), and Green Bay Packers (Twitter/Facebook). OurMine publicly claimed responsibility through their Twitter account during the two-hour window when they controlled these platforms, though their account was subsequently suspended by Twitter.
The attackers gained temporary control of accounts collectively followed by tens of millions of users, though the duration of unauthorized access remained brief in each case. No specific technical intrusion method was disclosed in available reports, but the pattern suggested credential-based attacks rather than platform vulnerabilities. OurMine used the compromised accounts primarily for self-promotion rather than financial gain or data theft, posting messages asserting their return and implying targets needed improved security measures. Affected organizations regained control through standard account recovery procedures, with no reports of lasting data compromise or system infections beyond the social media posts. The incident highlighted persistent risks to organizational social media assets despite available security measures like unique passwords and two-factor authentication, which were not universally implemented by victims prior to the attacks.