Skip to main content

These embarrassing passwords got celebrities hacked

One thing that celebrities have in common with everyday people is that they are also susceptible to cybersecurity breaches. Many public figures have had their private and public tech accounts hacked over the years and these attacks have often been due to them simply having weak passwords that were easy for bad actors to figure out.

Socialites, actors, politicians, and even prominent tech figures are guilty of lazy password practices, and falling victim to cybercrime that has compromised their passwords.

President Donald Trump

Trump with Facebook and Twitter logos stylized image
Getty Images/Digital Trends Graphic

In 2018, a Dutch hacker famously gained access to former President Donald Trump’s Twitter account by simply guessing the password, yourefired, which was his catchphrase on his reality show, The Apprentice.

In 2020, the same hacker was able to infiltrate Trump’s Twitter account again by guessing the password once more, as maga2020!, another catchphrase of his.

The lesson here? One, keep your catchphrases to yourself. Second, don’t use the current year or an exclamation point at the end of your password. It might satisfy the password generators, but it’s the most obvious and commonly used special characters.

Paris Hilton

In 2007 Paris Hilton with her pink Motorola Razr V3 made the Razr the most popular phone. (Credit: MTV)

In 2005, socialite and heiress Paris Hilton’s T-Mobile account was hacked after bad actors figured out the password was tinkerbell, the name of her beloved pet Chihuahua. However, others have discussed that the password might not have directly been Tinkerbell but somehow related to the name.

Techdirt Editor-in-Cheif, Mike Masnick noted that a common security question when resetting a password is “What is your favorite pet’s name?” For Hilton, the obvious answer would be Tinkerbell. From there, a bad actor could input their own password and access her account.” It wasn’t necessarily social engineering or a security hole or even real hacking (though, in some sense, it was a combination of all three),” Masnick added.

The lesson here is simple: if you have a famous dog, don’t make it the answer to your security question. That might not apply to the average person, but the idea is to make sure answers to security questions are obscure enough to only be known by you.

Mark Zuckerberg

Facebook F8
Facebook CEO Mark Zuckerberg Facebook

Meta (formerly Facebook) CEO Mark Zuckerberg had his Pinterest, Twitter, and Instagram compromised in 2016 by the hacker group OurMine for having the notoriously lazy password of dadada.

Look, this one should be obvious. Coming up with a good password requires moving around the keyboard a bit more.

Lisa Kudrow

Lisa Kudrow sitting at a restaurant in a scene from a film.
2015 Twentieth Century Fox Film Corporation

Friend’s actress, Lisa Kudrow accidentally doxed herself in 2019 when she uploaded a photo to her Twitter which included a sticky note with the password to her account.

This one isn’t technically a hack or someone guessing an easy password. But let it serve as a reminder to not store your passwords on sticky notes or on easily accessible online documents. Choose a reliable password manager, and you’ll never accidentally have this problem.

Evan Williams

Former Twitter CEO Evan Williams wearing a blue shirt.
Image used with permission by copyright holder

The former Twitter CEO had his own Twitter account hacked in 2016 after bad actors guessed his Foursquare password and figured out, he was reusing the same password for his social media account.

Another easy lesson for this one. Don’t reuse the same password for every account you have online. Again, password managers will fix this easily, but this is the most dangerous way to leave yourself vulnerable.

2020 Twitter account hijacking

Democratic Presidential Candidate Joe Biden Campaigns In Iowa
Chip Somodevilla/Getty Images

President Joe Biden and former President Barack Obama were affected by a Twitter hacking scam in 2020, in which bad actors infiltrated the accounts of several notable people. After accessing the Twitter accounts, hackers sent out tweets posing as charitable donations in the form of Bitcoin due to the COVID-19 pandemic, urging people to send sums of Bitcoin in order to receive that amount doubled.

Victims who sent Bitcoin of course never received any reward in return and the bad actors were able to get away with over $100,000. Meanwhile, over 130 celebrity Twitter accounts were affected by the scam including Kim Kardashian and Kanye West.

Ultimately, investigations determined that the hackers used administrative tools to bypass account security, so the actual celebrities were unable to protect themselves. However, this was once again a case where many celebrities were using the same password across multiple accounts, still leaving them vulnerable.

Celebgate

The massive iCloud hack known as “Celebgate” took place between 2014 and 2017 and affected nearly 100 famous women, including Rihanna, Scarlett Johansson, and Ariana Grande, whose private images were shared across the internet.

The hack was able to take place at that time because, in 2014, Apple did not lock accounts that had repeated login attempts take place. So, one method that bad actors tried was simply attempting to guess passwords over and over. Another method was attempting to find a weakness within Apple’s software, which they did in the find my iPhone app. They used this to find celebrities’ Apple IDs and email addresses and use these to send phishing emails requesting confirmation of usernames and passwords.

Emails would be sent from addresses such as appleprivacysecurity and text and format would be identical to those actually sent by Apple. Unsuspecting celebrities would input their Apple login information and send it directly to hackers.

During “Celebgate,” over 500 compromising photos were distributed online, first to the image board 4Chan, and then to other social media websites such as Imgur and Reddit.

Ways cybercriminals can access passwords

There are many ways hackers can access security information such as passwords or bypass passwords altogether to access accounts. Some popular methods include data breaches and malware or ransomware. However, there are other methods, when used on their own or combined with the aforementioned attacks can take bad actors directly to the passwords they desire.

Brute force attacks: Hackers might attempt to guess your password using software programs containing common password configurations. Notably, in recent times, cybersecurity researchers have been studying the PassGAN tool, which uses AI to crack common four- to seven-character passwords in seconds. The tool was trained on a data set that has collected information from popular breaches of companies over several years.

Social engineering: Hackers might attempt to guess your password based on your personal information, either attempting to trick you into divulging details or searching social media or other profiles for clues about your password. These might include your address, your name, family names, or birthday, among others. This is similar to the Donald Trump and Paris Hilton attacks.

Phishing scams: Hackers might attempt to send emails that look similar to legitimate businesses and interacting with links or inputting your personal information can send your data directly to bad actors. This is similar to the Celebgate attack. Phishing attacks can also unintentionally install malware onto a device, which then remotely gives hackers access to passwords.

Tips for keeping your password safe

One overarching theme of many of these hacks was that the public figures involved did not have the best password practices. However, many of us follow in their footsteps. Here are some tips you can use to keep your passwords safe.

  • Avoid using easy-to-guess passwords.
  • Spend a bit more time developing a unique password.
  • Use a password manager.
  • Don’t use the same password on multiple platforms.
  • Remember that companies will never ask for your password.
  • Implement 2-step verification on a device or service.
  • Be wary of phishing scams, and keep company email addresses starred or in your address book from prior interactions so that you’re familiar with them.

Editors' Recommendations

Fionna Agomuoh
Fionna Agomuoh is a technology journalist with over a decade of experience writing about various consumer electronics topics…
Chrome is making a key change to protect you from phishing
Google Chrome with pinned tabs on a MacBook on a table.

Phishing campaigns -- where a fraudulent website or email is made to look like it comes from a legitimate source -- have caused a huge amount of destruction, leading to untold numbers of virus infections and money lost through scams. Google has just rolled out a powerful way to fight phishing in its Chrome browser, however, and it could help you avoid falling victim.

As part of Chrome’s 15th-anniversary update, Google will be pushing its Enhanced Safe Browsing feature to all users in the coming weeks. This checks website URLs against a list of malicious sites stored on Google’s cloud servers, all in real time. If a match is found, the website is blocked and a warning is displayed to users.

Read more
Lapsus$ hackers convicted of breaching GTA 6, Nvidia, and more
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

The Lapsus$ hacking gang caused havoc in 2021 and 2022 with a series of high-profile security breaches and ransom demands. Yet things have been very quiet since then, and two alleged members of the group have just been convicted in the U.K., potentially bringing an end to one of the most notable hacking sprees in recent times.

According to Bloomberg and the BBC, two people accused of being members of the gang were convicted in the U.K. of a number of crimes, including serious computer misuse, blackmail, and fraud. The defendants included Arion Kurtaj, 18, and a 17-year-old male who could not be named due to his age. Both defendants are autistic and psychiatrists deemed that Kurtaj was not fit to stand trial, so he did not give evidence. They will both be sentenced at a later date.

Read more
How smart light bulbs could steal your password
GE Cync smart lights review

If it's connected to the internet, it can get hacked -- yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.

These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb's security measures might be insufficient.

Read more