How Not To Look Stupid On Twitter

When the AP Twitter stream was hacked a few weeks ago leading to a massive drop in the equities market, I went off. I found the fact that the AP – a news organization staffed by intelligent people and with a long history of adapting to new media – could be hacked through a phishing attack was unconscionable. It would be like Bank of America being hacked by a group of script kiddies.

Sadly, this happens over and over. Why? Thankfully the folks at the Onion had the foresight to explain what exactly happened when the “Syrian Electronic Army” “hacked” their Twitter stream.

If you run your company’s social media account, read it. The takeaways are here:

Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.

If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.

I think the third suggestion is the most important – always change your Twitter password on a regular basis and, more important, never ever ever ever click on a link that suggests you should change your Twitter password via the browser. If you must change your Twitter password, either do it through Twitter.com directly or, barring that, email Twitter. If you’re the AP or the ACLU or the Boston Pony And Terrier Lovers Of America Club, I’m sure they’ll help out.

Twitter itself needs to offer dual factor authentication or, at the very least, send you a text when someone changes your password. This is imperative. Twitter is now a medium for corporate communications and for it have the security of a web forum is unconscionable. The person in charge of your Twitter feed should also have a completely separate email address, outside of your domain, and that person should have a process in place to check the URL of the password change page and then only change the password if everything is kosher. At the risk of raising script kiddie, I would say that most “hackers” depend more on the stupidity of their marks and less on their technical skill.

Don’t be stupid.