On this right here weblog of ours we continually write about all types of cyberattacks and their devastating results — from cryptocurrency theft to private knowledge leaks. But there’s a unique class of high-profile hacks: these the place the hackers aren’t after cash, however as a substitute pull off foolish stunts which are largely innocent sufficient and only for enjoyable (although some (one particularly — the Ecovacs hack, under) could possibly be extra critical than others). As we speak, we let you know about 5 of those and talk about the teachings we are able to be taught from them…
“They’re in all places!” When site visitors lights speak to you within the voices of Zuckerberg and Musk
Within the spring of 2025, unknown people hacked crosswalk buttons on site visitors lights throughout Silicon Valley. These audio-enabled buttons are broadly put in on pedestrian alerts throughout the USA. As you would possibly count on, they’re designed for folks with visible impairments: their principal goal is to play voice messages that assist pedestrians who can’t see effectively perceive when it’s secure to cross the street.
The unknown people changed the usual voice messages on crosswalk buttons in a number of Silicon Valley cities with their very own — that includes AI-generated imitations of the ever-present tech-billionaires Mark Zuckerberg and Elon Musk. Movies recorded by native residents present the hacked buttons taking part in the messages.
In a voice imitating Mark Zuckerberg: “It’s regular to really feel uncomfortable and even violated, as we forcefully insert AI into each aspect of your acutely aware expertise. I simply wish to guarantee you, you don’t want to fret as a result of there’s completely nothing you are able to do to cease it.”
In a voice imitating Elon Musk: “You recognize, they are saying cash can’t purchase happiness… I suppose that’s true. God is aware of I’ve tried. However it could purchase a Cybertruck and that’s fairly sick, proper? F***, I’m so alone.”
One other message in a simulated Musk voice: “You recognize, folks hold saying most cancers is unhealthy, however have you ever tried being a most cancers? It’s f****** superior. Name me Elonoma. Heh-heh-heh.”
The billionaires’ voices have been clearly AI-generated, however precisely how the hackers managed to breach the site visitors mild audio buttons stays unknown. Safety specialists have famous, nevertheless, that default passwords are sometimes used when connecting these sorts of buttons, and no one bothers to alter them after set up.
It seems to be like nobody was damage by the prank – besides perhaps the billionaires’ delight.
In Illinois, college students be taught a key lesson: always remember about Rick
On the final Friday of the 2021 college yr, all of the TVs and projectors in school rooms throughout six colleges in Prepare dinner County, Illinois, turned on by themselves. A message appeared on the screens: “Please stay the place you might be. An essential announcement will likely be made shortly.” A five-minute countdown timer was displayed under the unsettling message…
5 minutes later, 500 screens concurrently began exhibiting the well-known Rick Astley video for By no means Gonna Give You Up. Later that very same day, the tune performed once more over the colleges’ public tackle techniques.
The hackers behind this shock pop… basic’s airing have been 4 American college students, and what they did was pull off one of many greatest Rickrolls in historical past that day. A Rickroll is a well-liked on-line prank the place an unsuspecting person is shipped a seemingly essential or thrilling hyperlink, solely to be redirected to the video for English singer Rick Astley’s 1987 hit, By no means Gonna Give You Up. Rickrolling achieved cult standing again in 2007 after spreading on the 4chan imageboard.
Let’s get again to the 4 college students. Their huge Rickroll was a hi-tech twist on a basic American custom generally known as the senior prank: principally, a good-natured prank pulled by high-school, school, or college seniors earlier than commencement.
Nonetheless, the 4 Illinois college students clearly took it to a brand new degree. To tug off their Rickroll, they exploited pretty primary vulnerabilities within the college’s infrastructure. For instance, the pranksters gained entry to the system controlling a whole lot of projectors and TVs throughout the whole college district as a result of the default usernames and passwords hadn’t been modified after setup.
Equally, the scholars have been in a position to log into the colleges’ audio public tackle techniques. The one that initially configured the PAs diligently modified the default system password to the one offered for instance within the person guide, which after all was out there on-line. Whereas they have been at it, the hacking staff found an administrator account with “password” used because the password.
It’s value highlighting simply how responsibly the hackers approached the entire operation. Earlier than finishing up the Rickroll, the prankster staff ready an in depth 26-page report, which they despatched to the varsity directors instantly after the incident. In it, the scholars totally described their actions and offered suggestions for enhancing the colleges’ cybersecurity. Moreover, as soon as the Rickroll was over, the script they wrote restored the varsity techniques again to their unique state.
We all the time knew: the rise of the machines would start with robotic vacuums
Final yr, experiences surfaced on-line a few sequence of hacks focusing on Chinese language-made Ecovacs Deebot X2 robotic vacuums in cities throughout the USA. Pranksters assumed management of the robots’ actions and shouted expletives by means of the built-in audio system. Moreover, they may spy on the homeowners by means of the built-in cameras.
The story seemingly had its beginnings on the DEF CON 32 hacker convention, the place cybersecurity researchers Dennis Giese and Braelynn Luedtke offered their speak, Reverse engineering and hacking Ecovacs robots. The presentation described vulnerabilities they’d found in Ecovacs robotic vacuums and lawnmowers, in addition to strategies for exploiting them. As a part of their research, the researchers have been in a position to acquire distant entry to the built-in microphones and cameras and management the vacuums’ actions. We beforehand coated their work intimately in our put up Ecovacs robotic vacuums get hacked.
(By the best way, throughout their presentation at DEF CON, Giese and Luedtke themselves grew to become the goal of a hacker prank: a member of the viewers managed to take management of the presenter’s clicker and spent a number of minutes messing with the audio system by randomly flipping by means of their slides.)
Giese and Luedtke reported their findings to the seller in a accountable method. Ecovacs engineers tried to patch the vulnerabilities, however didn’t have a lot luck. A number of months after the report went out, unknown tech fans, seemingly impressed by the research, have been in a position to recreate the strategies described in it to execute a sequence of assaults on different folks’s robotic vacuums. For instance, in a single such assault in California, a robotic chased the proprietor’s canine round the home whereas shouting obscenities.
The precise variety of victims from this sequence of hacks stays unknown, because it’s believable that the pranksters didn’t all the time make their presence apparent — they may have merely noticed the vacuum homeowners’ lives. That, clearly, would have been a really critical infringement of these homeowners’ privateness – and will by no means be described as mere “enjoyable and video games”; neither might this: what if Ecovacs lawnmowers are subsequent?
Lizard Squad “breaking free”: a defacement free redesign of Lenovo’s web site
Right here’s one other playful assault by youngsters, this time focusing on Lenovo. A decade in the past, the pc producer’s web site was hacked. Guests have been redirected to a slideshow that includes photographs of bored-looking adolescents, presumably the hackers themselves, all set to the tune Breaking Free from Disney’s Excessive College Musical.
Clicking on the slideshow would lead customers to the hacking group Lizard Squad’s account on X, which was nonetheless generally known as Twitter on the time. The hackers left a jab on the site owners within the supply code: “The brand new and improved rebranded Lenovo web site that includes Ryan King and Rory Andrew Godfrey”. These two people had beforehand been linked to Lizard Squad.
The assault was orchestrated by way of DNS hijacking. The hackers altered the DNS data for lenovo.com, inflicting all customers trying to achieve the official firm web site to be routinely redirected to a pretend web page managed by the pranksters.
The assault was apparently a protest towards what was seen as the pc vendor’s lax perspective towards safety and person safety. Shortly earlier than the defacement, it was revealed that Lenovo had been promoting laptops preloaded with Superfish malware. This made customers who bought contaminated gadgets probably susceptible to knowledge interception and man-in-the-middle assaults. Thus, the hack appears form of fallacious, however on the similar time feels justified.
Deliver again 2013, when Twitter accounts have been hacked for mischief — not crypto scams
Nowadays, when the X account of a high-profile particular person or main firm will get hacked, it nearly invariably results in some form of cryptocurrency rip-off. Nevertheless it wasn’t all the time this manner. Only a decade in the past, widespread accounts on what was then nonetheless generally known as Twitter have been extra typically hijacked for giggles than for illicit monetary acquire.
Take February 2013, for instance. Unknown hackers breached Burger King’s Twitter account to put up this gem: “We simply obtained offered to McDonalds! Search for McDonalds in a hood close to you.”
On prime of that, Burger King’s profile image was swapped out for the McDonald’s emblem, and their bio learn: “Simply obtained offered to McDonalds as a result of the whopper flopped.” The bio additionally included the misspelled line “FREDOM IS FAILURE” and a useless hyperlink to a press launch.
For about an hour, the attackers posted more and more outrageous messages earlier than Twitter lastly suspended the account. Apparently, Burger King’s arch-rival, McDonald’s, tweeted a message of help — whereas ensuring to make clear that they had nothing to do with the breach.
Quick-forward to August 2017, which was when the Ourmine hacking outfit focused the Twitter account of soccer big Actual Madrid. The hackers used the membership’s account to announce that none apart from Lionel Messi, who then performed for Actual Madrid’s fiercest rival, FC Barcelona, was transferring to Actual Madrid.
The put up shortly racked up 2800 likes and 3100 retweets. Ourmine additionally posted a sequence of tweets claiming duty for the hack, with one declaring, “Web safety is s*** and we proved that.” It’s laborious to argue with that.
A takeaway from the hacks: shield your password from the beginning
Maybe probably the most essential lesson to be taught from these on-line shenanigans is that this: utilizing weak — and even worse, default — passwords is a surefire technique to hand management of your gadget, account, or web site to web pranksters… in the event you’re fortunate. Weak passwords have been what tripped up metropolis infrastructure and faculty directors, and it’s extremely seemingly that the Twitter account hacks have been additionally linked to a careless strategy to password insurance policies.
This weblog has ceaselessly mentioned the right way to create robust passwords. However to wrap issues up, let’s reiterate just a few primary guidelines of password hygiene:
- Passwords needs to be at the very least 16 characters lengthy, and even longer if the web site permits it.
- When making a password, it’s good apply to combine uppercase and lowercase letters, numbers, and particular characters.
- It’s greatest to keep away from simply guessable issues like widespread phrases or dates in your password. And also you positively shouldn’t use the phrase “password”.
- Ideally, your password needs to be a random mixture of characters.
- Create a brand new, distinctive password for every web site.
In fact, any person right this moment indicators up for dozens, if not a whole lot, of on-line providers. So, remembering lengthy and distinctive passwords for every one isn’t possible. That’s the place Kaspersky Password Supervisor may help you handle this and shield your self not simply from pranks, however from much more critical penalties.
Moreover, the app routinely checks all of your passwords for uniqueness, and helps you create really robust and random mixtures of characters. So, when utilizing Kaspersky Password Supervisor, you don’t have to hold all these advanced guidelines in thoughts — the password supervisor does all of it for you. Past passwords, Kaspersky Password Supervisor can retailer and sync two-factor authentication tokens and passkeys. We not too long ago totally explored this new passwordless know-how for accessing web sites and providers in our full information to utilizing passkeys in 2025.
