Rahul Gandhi's Twitter account hacked: Lessons to be learned from the compromise

Rahul Gandhi’s official Twitter handle –  @OfficeOfRG  – was hacked on 30 November after it emerged that obscene tweets were being posted by the account. The situation is now under control and Gandhi has restored his access with a tweet directed at his haters .

But just a day after the hacking of Gandhi’s account, his party’s official Twitter account was hacked on 1 December as well. Indian National Congress’s official Twitter account was hacked on Thursday morning. Expletives and abusive tweets were posted on the handle. One of the tweets posted on the account said that a “full dump” of Congress emails will be posted.

Blame Game

As it often happens in such cases, political parties quickly start conjectures as to who is responsible. The Congress party started alleging that BJP was behind the hack attacks.  According to Firstpost, the Congress has filed a complaint with the cyber cell of Delhi Police on the hacking of its vice-president’s Twitter account, by the party’s chief spokesperson Randeep Surjewala, demanding strict action against those behind the hacking.

While the case is being investigated, it has emerged that the @OfficeOfRG was accessed using Rahul Gandhi’s official email ID , the servers of which are located in Bengaluru.

Cyber security expert and consultant with the Internet and Mobile Association of India (IMAI) Rakshit Tandon says that it seems like a case of phishing attack.

Phishing could be a possible reason

Phishing uses social engineering to attack the victim. The modus operandi is simple. Hackers create fake email accounts which look genuine and as though they have come from a social media site, in this case. They have messages such as, “It looks like your account was hacked.” Or, “Someone tried to login in to your account from . Please update your password.” Then they have a link in these emails, which again look genuine and lead the victim to a fake landing page, which looks exactly like account verification pages. The user is then prompted to enter their details, which the user may think is going to the social media account’s servers, but actually is going to the hacker.

“Twitter, for instance, does not differentiate between a Rahul Gandhi Twitter account and that of another verified user account. It does not grade a user with his or her VIP status. At the most, if Twitter or Facebook suspects abnormal activity such as logging in attempt from a foreign country, then it has methods to send alerts to the user to check if that is really him or her. It could either have been a phishing attack or if OTP was activated, then there may have been malware which could also read OTP. These days hackers can read your OTPs as well,” said Tandon.

But considering the handle is an official handle, there are high chances that it may have been handled by Rahul Gandhi’s social media staff or public relations officials and so on. So the weak link could emerge from any of these handlers as well.

“Now these accounts maybe handled by multiple people on multiple devices, so honestly anyone could be a weak link, leading to the hacking of an account. That seems like the most logical answer to this hacking episode. At the most celebs use their accounts to reply, or tweet whenever they have free time,” said Tandon.

But in such cases of verified accounts of high profile celebrities, shouldn’t there be extra security measures? Tandon says that there is a two-step verification method, but it may not be practical to use it in all cases. Specially in the case where the same account is being handled by multiple users. At multiple locations.

“So for instance, if Gandhi is visiting some remote town in India, and the person handling his social media is sitting in Delhi has to login to tweet or put out a Facebook status, two step verification will ideally send an OTP on Gandhi’s phone. Now, the social media manager cannot disturb such a busy person just to ask for OTP. So while extra verification is good, it is not always practical in case of busy celebrities or politicians,” Tandon explains.

Doing this can get you in a legal soup

The first outcome of celebrity Twitter account hacks is rampant sharing of the tweets or updates posted by the hacker. There are cases where a lot of us come across our friends sharing obscene tweets coming from an official looking handle, just as a joke. Anyone who is part of a WhatsApp group (most of us are), knows the kind of unverified forwards doing the rounds.

While all this may seem like harmless fun, in the eyes of the law, sharing details of a compromised account can put you in a legal soup if the affected victim decides to pursue a case diligently.

Here is the what Section 67 of the IT Act 2000 states officially, “Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to three years and with fine which may extend to five lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.”

The language of the law clearly says that even if you propagate or share such content, you are in the wrong. So be very careful when you are retweeting or sharing content from a compromised account.

The legal recourse

Just like Congress has approached the cyber cell to file a complaint regarding this hacking episode, any citizen facing similar issues can take this legal recourse. According to the IT Act 2000 : Under Section 66C one can be punished for identity theft; Section 67 which deals with online obscenity posted, carries a sentence of 3 years and a fine of Rs 5 lakh; any sexual comments and sexual obscenity that takes a recourse of 67A - that’s 5 years of jail and Rs 10 lakh fine.

According to National Crime Records Bureau (NCRB) data from 2015, of the 8045 cybercrime cases that were reported in 2015, around 5102 people were arrested under the IT Act. Conviction rate is an altogether different story though. According to Tandon, one of the main reasons for low conviction rate is lack of digital evidence.

“The high rate of pending cases leads to the very low rate of convictions. The chief cause of this is the issue of evidence and investigation. The problems with evidence are prevalent at every stage of the case. These range from delay in discovery and reporting of cybercrimes, improper handling of evidence by the victims or the police themselves, to an insufficient understanding of the complicated procedures established under law for valid digital evidence," we had noted in a previous story .

Tandon claims that as long as the crimes are reported, the police are doing a good job of trying to solve the case. “But the first difficult step is reporting a cyber crime. One should be aware that not every police station registers a cybercrime complaint. But a lot of people are not even aware of which is their nearest Cybercrime cell. Lack of awareness and lack of education with technical knowledge are reasons why a lot of cybercrime cases are not being reported,” said Tandon.

So while, you may find it amusing to see prominent personalities or organisations’ social media accounts being hacked, you need to exercise some caution before hitting that share button.