On Saturday when I broke this story on electric carmaker Tesla getting their Twitter account and website hacked, I said this:
It’s surprising that a company run by Elon Musk would get pwned like this. So you can pretty much expect that whomever runs Tesla’s social media efforts is about to get fired.
Here’s more ammo to back up the fact that the responsible party should be fired. Apparently it was a social engineering hack:
SecurityWeek, which spoke with a Tesla spokesperson, explained that the two accounts were hijacked via a simple tactic dubbed “social engineering.” It went something like this:
- A hacker called AT&T customer support and posed as an employee of Tesla. This person then demanded all phone calls to the company be forwarded to a new fake phone number.
- Next, this malicious hacker got in touch with Tesla’s domain registrar Network Solutions. Since all the phone calls were being forwarded to the hacker, this person was able to easily add a new email address to Tesla’s domain administrator account.
- With this new email on the account, the hacker then reset passwords for the website and wreaked hours of havoc.
The Tesla spokesperson emphasized to SecurityWeek that no data was breached. “Our cooperate network, cars and customer databased remained secure throughout the incident,” Tesla said.
The fact that the public face of Tesla was hacked in such an easy manner should really make the folks at Tesla rethink their IT security. I say that because social engineering hacks are less about technical skill and more about being able to convince people to do what you want them to do. That’s why companies have to train employees to spot these sort of hack attempts whether it’s focused on them or their customers.
You have to wonder what could have happened if hackers with a lot more skill who were also willing to put in a lot more effort could have gotten away with.