The Twitter account for Thomson Reuters, a news publisher, got hacked earlier today.
The hack underscores how easy it is to compromise large organizations’ Twitter accounts, which are often “protected” by nothing more than a single shared password.
It appears that @thomsonreuters fell briefly into the hands of the Syrian Electronic Army, a hacker group that has also claimed responsibility for temporary Twitter takeovers of NPR (on April 16, 2013), CBS’s 60 Minutes (April 21), and the Associated Press (April 23). The same organization took over Al Jazeera’s website in early 2012.
For about 45 minutes this evening, starting at 6:33 p.m. Eastern time, the Thomson Reuters feed started showing a series of violent and probably quite offensive political cartoons. (Buzzfeed has collected the series. Warning: Not pleasant imagery.) At 7:13pm, the account tweeted “Always via Syrian Electronic Army(@Official_SEA12) #SEA #Syria#SyrianElectronicArmy.”
Shortly thereafter, Twitter suspended the account.
It now appears to be operating normally and there is no trace of the bogus tweets, although there have been no updates to @thomsonreuters in about 7 hours.
“Earlier today @thomsonreuters was hacked,” a Thomson Reuters spokesman told the Wall Street Journal. “In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source.”
The Syrian Electronic Army supports the current government in Syria and is opposed to the rebel groups there. It’s not clear if it’s an official arm of the Syrian government.
Twitter added two-factor authentication in May, which requires you to enter a code sent via SMS to your phone whenever you sign in. That is probably not much use for organizations like NPR, AP, CBS, and Reuters, however, given that their Twitter accounts are no doubt managed by many different individuals. It might not even have protected against a phishing attack, which is probably how the hackers are getting these logins.
So the question is, how can Twitter better protect these accounts? And how can companies protect their own Twitter accounts in the meantime?