Over the weekend, hackers gained access to the X account of the beloved character Elmo and used it to post offensive racist and anti-Semitic threats, along with profane remarks about Jeffrey Epstein. On Monday, Sesame Workshop was actively working to reclaim full control of its Red Character account.
“Unknown hackers have compromised Elmo’s X account, posting derogatory messages, including anti-Semitic and racist content. We are striving to regain complete control of our account,” a spokesman for Sesame Workshop stated on Monday. Sesame Workshop is the nonprofit organization that produces Sesame Street and Elmo.
The account was breached over the weekend, and instead of its usual positive posts, Elmo’s 650,000 followers were confronted with anti-Semitic threats and racist commentary. The account also included profane references to convicted sex trafficker Epstein, revealing additional details about him to the US government, amidst the ongoing debate over the FBI’s findings that Epstein committed suicide. Although these tweets were swiftly deleted, Elmo’s account still hosts a link to a Telegram channel that celebrates the hacking.
X, owned by billionaire Elon Musk, has not yet responded to requests for comment.
Recently, Elmo’s social media accounts have focused on mental health awareness. Last year, the eternally three-and-a-half-year-old red monster prompted responses from Joe Biden and Chance the Rapper with a simple check-in: “Elmo is just checking in! What is everyone doing?”
X has faced ongoing challenges in safeguarding high-profile accounts, which can cause significant harm with a single tweet. Last year, various British MPs and international entities experienced similar breaches, with their accounts being used to mock cryptocurrency.
Ensure your passwords feature a diverse mix of characters. Avoid using your pet’s name and, crucially, never recycle your passwords. While we’re all aware of the guidelines for keeping our digital credentials safe, it’s easy to forget them.
The trade of stolen personal data is booming on the dark web, lying beyond the regular internet and accessible only through specific software. Tor was initially developed by the US Intelligence Agency for confidential communications. Not everything there is sinister; for instance, BBC News maintains dark web platforms for individuals facing oppressive surveillance.
To delve deeper, I consulted Rory Hattin, an ethical hacker from a firm dedicated to legally infiltrating companies to test security measures. He expressed a “remarkably slim” chance that my personal data hasn’t been compromised. Having reported on technology for years, I understand how prevalent data breaches are, but realizing I could be affected was a sobering wake-up call.
Hattin introduced me to a website called Have I Been Pwned, which consolidates usernames and passwords that have been leaked across the dark web into a searchable database. Upon entering my email address, I was alarmed to discover that I had been involved in 29 data breaches.
The most recent breach occurred in 2024 during an attack on internet archives, where my email and password were exposed. My information was also part of 122 gigabytes of user data scraped from various Telegram channels, including a database known as NAZ.API originally shared on hacker forums. Other breaches involved sensitive information such as email addresses, job titles, phone numbers, IP addresses, password hints, and birthdates from major platforms like Adobe, Dropbox, and LinkedIn.
In theory, these leaks might seem limited in value. For instance, if LinkedIn is hacked, and your username and password are compromised, your Facebook account remains unaffected—unless, of course, you’re among the over 60% who reuse the same password repeatedly. In such cases, hackers can exploit your credentials across various sites. Hattin warns, “You’re in serious trouble.”
This includes online shopping accounts with saved payment methods, PayPal accounts, or cryptocurrency wallets. Gaining access to one account could allow intruders to infiltrate others, with email accounts acting as a treasure trove. Once they access an email account, they can reset passwords on multiple platforms, jeopardizing everything from your utility accounts to online banking. Additionally, hackers can misuse access to social media and email to launch scams against friends and family, presenting believable emergencies that require money transfers. The fact that these messages come from real accounts lends them an unsettling credibility, often leading to unfortunate outcomes.
Compounding the problem, businesses that experience data breaches are sometimes slow to inform customers, leaving them exposed for extended periods. Hattin noted that in his previous role with a client, he observed ransomware incidents being treated as mere inconveniences. Companies often encrypt victim data and demand ransom, viewing such attacks as merely part of doing business.
“These companies face breaches two or three times a year,” Hattin stated. “They set aside funds for when things go awry. They pay the ransom and carry on with their operations. This cycle persists globally.”
As I grappled with the exposure of my personal data, I was struck by its resemblance to the mechanically processed meat found in chicken nuggets. Hattin explained that premium personal data is acquired when sophisticated hackers breach a website and collect fresh data to sell. Once the initial buyers extract what they need, the data can be resold multiple times. The most valuable data gets distributed, while the remainder may be offered for free on hacker forums, Telegram groups, or other obscure parts of the internet.
Hattin introduced me to a paid service named Dehashed, illustrating how the data supply chain operates. This service is named after a common security measure that “hashes” passwords to obscure them; dehashing reverses this process. My worst fears were confirmed when I discovered that at least one of the passwords associated with my email address was current. In theory, nothing was preventing a hacker from accessing at least one of my online accounts.
Dehashed costs $219.99 per year and claims to cater to “law enforcement agencies and Fortune 500 firms.” I reached out to the company to inquire whether they were concerned that tools designed to match leaked data might also aid hackers and cybersecurity professionals, but received no response.
I felt compelled to explore the dark web further. I spoke with Anish Chauhan from Equilibrium Security Services, who showcased findings from his team’s tailored software. They identified 24 passwords connected to my online accounts.
“Users might think, ‘I have a 200-character password; no one will crack it,'” Chauhan explained. “But if they’re using it across multiple sites, it could eventually be exploited, making it irrelevant. Unfortunately, as humans, we often choose the path of least resistance.”
Chauhan suggested a straightforward solution you’ve likely heard before: use unique passwords for each account. Given how widely my information has been circulated, the importance of this advice is painfully clear.
Fortunately, numerous tools exist to simplify this process. Most modern devices and internet browsers include password managers that generate strong, random passwords and remember them for you. If you’re concerned about your passwords already being compromised, it may be worth checking services like Have I Been Pwned or investing in more comprehensive tools that monitor the darker regions of the internet for leaks.
In recent years, I’ve relied on a password manager to create robust passwords and keep them organized. However, I noticed that some long-standing accounts have been neglected, housing old and breached logins. In light of this revelation, I plan to update my credentials before this article goes live.
That said, changing passwords isn’t something I do frequently. It’s understandable why many take shortcuts, overwhelmed by constant demands to create new login information. I’m certainly not the only one.
“I’m quite tech-savvy, yet I hardly change my passwords,” Hattin disclosed. “For work, I do, but in my personal life, I tend to be a bit lazy.”
HM’s revenues and customs have experienced a loss of £47 million due to phishing scams that have compromised tens of thousands of tax accounts, a panel of lawmakers has been informed.
On Wednesday, two senior tax officials briefed the Treasury Commission, reporting that 100,000 individuals have been contacted or are being contacted after their accounts were locked as part of an “organized crime” investigation initiated last year.
John Paul Marks, CEO of HMRC, stated that the affected taxpayers will face “no financial loss.”
He explained to the committee: “About 0.2% of the Pay population is being notified, with approximately 100,000 individuals informed that unusual activity has been detected on their Pay accounts.”
Marks clarified that this pertains to individual workers’ payment accounts, not business accounts.
He further elaborated: “This incident involved organized crime phishing for identity data outside of the HMRC system, which unfortunately affects banks and other entities that utilize that data to set up Payer accounts for refunds or accessing existing accounts.”
He informed MPs of investigations into issues from last year that “involve jurisdictions beyond the UK,” which led to “arrests last year.”
Angela McDonald, HMRC’s deputy chief executive and second permanent secretary, added:
“Ultimately, we successfully protected £19 billion that was targeted during last year’s attacks.”
McDonald made it clear that this breach is “not a cyber attack, there has been no hacking, and data has not been extracted.”
She went on to state: “The act of compromising someone’s system to extract data and implement ransomware constitutes a cyber attack. That is not what transpired here.”
HMRC reported that it has secured the details of the affected accounts and has eliminated logins to prevent future unauthorized access.
Incorrect information has been purged from tax records, and authorities are verifying that no other details have been altered.
Affected individuals will receive notifications from HMRC within the next three weeks.
Marks noted that HMRC’s phone line experienced an outage on Wednesday afternoon, but this was “accidental” and would be “up and running” by Thursday.
A spokesperson for HMRC stated: “We have taken steps to safeguard our customers after identifying attempts to access a minimal amount of tax revenues and will collaborate with law enforcement both domestically and internationally to bring the culprits to justice.
“This was not a cyber attack; instead, it involved criminals utilizing personal information from phishing activities or data obtained from other sources to attempt to claim funds from HMRC.”
“We are sending letters to affected customers to assist in securing their accounts and to reassure them that they have not lost any money.”
Last week, UK banks and payment companies were advised to enhance their anti-fraud systems for international transactions due to a rising number of fraudsters targeting individuals abroad.
Recent statistics indicated that international payments account for 11% of the losses attributed to push payment fraud in 2024.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
