It seems even Twitter is a little shaken up about the recent rash of major media account hacks. The company sent out a letter to publications saying it expects more hacks and provided tips on how to keep Twitter accounts safe.
In April, hackers broke into and tweeted from the Twitter accounts of CBS, NPR, and the Associated Press. The hackers posted messages that accused the U.S. government of “being in bed” with terrorists, and in the Associated Press’ case, faked an explosion at the White House.
That one bogus AP tweet caused the Dow Jones Industrial Average to drop 1 percent almost immediately, highlighting just how much people trust Twitter as a breaking news resource. Undoubtedly this puts a lot of pressure on Twitter, and it’s trying to make sure publications know that this is a problem that isn’t going away just yet.
“We believe that these attacks will continue and that news and media organizations will continue to be high value targets to hackers,” said in the memo, which was posted by Buzzfeed.
A group called the Syrian Electronic Army, a proregime hacking collective, took credit for the hacks, though they are far from the only people trying to get attention through these means. The hackers, according to Twitter, are mostly able to get access through phishing attempts alone. These are tricks that hackers use to get regular people to simply give up the login information.
Twitter urges companies not to share their passwords in email or over the Internet and to limit the amount of people who have access to the account.
It also seems to be grasping at straws, telling publications to designate one computer from which people tweet. Those who tweet from this computer, however, should not access the Internet in other ways (such as for email) lest they expose themselves to malware. It seems a little outlandish for the pace of breaking news today. “Hold on guys, just filed my story. Need to ask Jimmy down at the copy desk to tweet it out next time he’s on the Twitter laptop.”
The company also asks publications to use two-factor authentication on their email addresses and to otherwise use strong passwords. Twitter specifically called out LastPass and 1Password as good methods of storing individual passwords for all your accounts (since often a good password for every site you use is hard to remember).
Of course, we’ve heard the rumors that Twitter is working on its own two-factor authentication, and we’re happy about that. But as PhishMe chief executive Aaron Higbee explained shortly after the AP incident: two-factor authentication won’t always save you. Businesses really need to put their employees through some kind of phishing trainings to show them what a phishing attack looks like, how convincing they really are, and best ways to avoid them.
Check out the letter:
Please help us keep your accounts secure. There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that
news and media organizations will continue to be high value targets to
What to be aware of:
These incidents appear to be spear phishing attacks that target your
corporate email. Promoting individual awareness of these attacks
within your organization and following the security guidelines below
is vital to preventing abuse of your Twitter accounts.
Take these steps right now:
Change your Twitter account passwords. Never send passwords via
e-mail, even internally. Ensure that passwords are strong- at least 20
characters long. Use either randomly-generated passwords (like
“LauH6maicaza1Neez3zi”) or a random string of words (like “hewn cloths
titles yachts refine”).
Keep your email accounts secure. Twitter uses email for password
resets and official communication. If your email provider supports
two-factor authentication, enable it. Change your e-mail passwords,
and use a password different from your Twitter account password.
Review your authorized applications. Log in to Twitter and review the
applications authorized to access your accounts. If you don’t
recognize any of the applications, contact us immediately by emailing
Help us protect you. We’re working to make sure we have the most
updated information on our partners’ accounts. Please send us a
complete list of all accounts affiliated with your organization, so
that we can help keep them protected.
Build a plan. Create a formal incident response plan. If you suspect
your organization is being targeted by a phishing campaign or has been
compromised by a phishing attack, enact the plan.
Contact us immediately at email@example.com with the word “Hacking”
in the subject. Include copies of suspected phishing emails.
If you lose access to an account, file a Support ticket and email the
ticket number to firstname.lastname@example.org.
Review our security guidelines to help make sure your accounts are as
secure as possible.
Talk with your security team about ensuring that your corporate email
system is as safe as possible. A third-party provider that allows for
two-factor authentication might be a safer solution.
Strong security practices will reduce your vulnerability to phishing.
Consider the following suggestions:
Designate one computer to use for Twitter. This helps keep your
Twitter password from being spread around. Don’t use this computer to
read email or surf the web, to reduce the chances of malware
Minimize the number of people that have access. Even if you use a
third-party platform to avoid sharing the actual Twitter account
password, each of these people is a possible avenue for phishing or
Check for signs of compromise. Checking your email address and
authorized apps weekly or monthly can help detect unauthorized access
and address the problem before access is abused.
Double-check the email address associated with your Twitter accounts:
Review the apps authorized to access your accounts:
Change your password regularly. Changing your Twitter password
quarterly or yearly can reset the clock if a password has leaked.
Using a Password Manager integrated into your browser can help prevent
successful phishing attacks.
Third-party solutions such as 1Password or LastPass, as well as the
browser’s built-in password manager, will only auto-fill passwords on
the correct website. If the password manager does not auto-fill, this
might indicate a phishing attempt.
Password managers make it much easier to use a very strong password.
Very difficult passwords will discourage memorization, which will
greatly reduce the chances of being phished.
Be certain to set a master password, since otherwise passwords may be
Don’t hesitate to email us if you need assistance.
VB’s research team is studying mobile user acquisition... Chime in here, and we’ll share the results.