Published: 7 hours ago

The official X account of EcoCash was compromised on Wednesday by a hacker who claimed the mobile money platform had failed to refund US$35 allegedly missing from his account.

The breach lasted for more than two hours, during which the attacker posted explicit pornographic content, profanities and abusive messages directed at customers before the company eventually regained control of the account.

The hacker changed the account's profile picture to an explicit image and renamed the account with a profanity-filled statement demanding the return of his money.

In one of several posts made during the breach, the attacker claimed the incident was intended to expose what he described as weak security systems.

"I hacked the EcoCash account so that you see how insecure their systems are. I had my money stolen, US$35. They are refusing to return it," the hacker wrote.

There was no independent verification of the hacker's claim that he had lost money through the platform, and neither EcoCash nor its parent company had publicly addressed the allegation at the time of publication.

Throughout the incident, the attacker also responded to customers who had tagged the account seeking clarification about the unusual activity, often using offensive and abusive language.

When one user observed that someone appeared to have taken over the account, the hacker responded with an insulting message directed at the customer.

The attacker also appeared to mock the company's efforts to recover access to the account.

"You've changed the password five times and removed all followers. You can't remove me. Return my money. Insecure systems," one post read.

The incident quickly drew attention across Zimbabwe's social media landscape, with users expressing concern about the security of corporate social media accounts and questioning how such a high-profile platform could be compromised.

Rival mobile money operator OneMoney seized on the incident, posting a light-hearted jab at EcoCash while simultaneously reminding customers about good cybersecurity practices.

"We told them ‘1234' isn't a password… but they didn't listen," the company posted alongside advice encouraging users not to share PINs or use easily predictable passwords such as birth dates.

The breach has reignited discussions around cybersecurity and account protection for major corporations operating digital financial services.

Although EcoCash successfully regained control of the account, neither the company nor its parent firm, Econet Wireless Zimbabwe, had issued an official public statement nearly 20 hours after the account was restored.

It remains unclear how the attacker gained access to the account or whether any customer information was compromised during the incident.
- Zimlive

You might also want to read this

• EcoCash launches international money transfers from Zimbabwe
• EcoCash maintains market leadership amid rising competition
• High Court sets EcoCash hearing date
• Zimbabwe Reserve Bank bans mobile money agencies
• EcoCash charges further slashed
• EcoCash crash shows the vulnerabilities of going cashless
• EcoCash glitches leave thousands stranded
• EcoCash investigates unscrupulous agents
• Swipe into EcoCash service available
• EcoCash linked to NetOne, Telecel numbers