When the AP Twitter stream was hacked a few weeks ago leading to a massive drop in the equities market, I went off. I found the fact that the AP – a news organization staffed by intelligent people and with a long history of adapting to new media – could be hacked through a phishing attack was unconscionable. It would be like Bank of America being hacked by a group of script kiddies.
Sadly, this happens over and over. Why? Thankfully the folks at the Onion had the foresight to explain what exactly happened when the “Syrian Electronic Army” “hacked” their Twitter stream.
If you run your company’s social media account, read it. The takeaways are here:
I think the third suggestion is the most important – always change your Twitter password on a regular basis and, more important, never ever ever ever click on a link that suggests you should change your Twitter password via the browser. If you must change your Twitter password, either do it through Twitter.com directly or, barring that, email Twitter. If you’re the AP or the ACLU or the Boston Pony And Terrier Lovers Of America Club, I’m sure they’ll help out.
Twitter itself needs to offer dual factor authentication or, at the very least, send you a text when someone changes your password. This is imperative. Twitter is now a medium for corporate communications and for it have the security of a web forum is unconscionable. The person in charge of your Twitter feed should also have a completely separate email address, outside of your domain, and that person should have a process in place to check the URL of the password change page and then only change the password if everything is kosher. At the risk of raising script kiddie, I would say that most “hackers” depend more on the stupidity of their marks and less on their technical skill.
Don’t be stupid.