In recent weeks, the Associated Press, NPR and the BBC have all had their Twitter accounts hijacked. As hacks of high-profile accounts have real-world consequences, the security at Twitter is coming under increased scrutiny.
As the social media platform has become an essential news and communication platform globally, it has also become a honey pot for hackers. It’s so deliciously attractive, they can’t seem to resist.
“I think more than something about Twitter’s security is the fact it’s so desirable as a platform because you get this instant, real-time access to a very, very large audience,” says Mark Risher, founder and CEO of Impermium, which specializes in protecting social media accounts.
“It’s very tempting,” he says. “It’s almost irresistible to these remote hackers who are able to operate really anywhere in the world and just continue these deliberate, concerted efforts to break into specific accounts.”
A successful hack of the right Twitter account can make news — such as when the AP’s account was used to send a false message that sent the stock mark into a brief nosedive Tuesday.
The Syrian Electronic Army claimed responsibility for the AP Twitter hack, in which a bogus tweet said there had been explosions at the White House. Last week, the same group hacked into several of NPR’s accounts.
The attack against AP began with a cleverly disguised email to staffers that included a malicious link.
“Phishing messages have become much more convincing, much more realistic than those old Nigerian oil minister who wants to give you $25 million,” Risher says. “And maybe most importantly they’re coming from reputable channels, or at least look like they’re do.”
If hackers compromise a computer and either steal a Twitter password or trick someone into giving that password up, they’re in. That’s all it takes. And Scott Behrens, senior security consultant at Neohapsis Labs, says it’s not just media companies that need to be concerned.
“Imagine if an attacker compromised a Twitter feed for, say, a medical company and tweeted something about a new drug or a partnership. That could cause once again turmoil in the stock market,” Behrens says.
Some simple steps could make attacks like these more difficult.
“There may be some room for Twitter to improve by adding additional technologies around logging in, such as two-factor authentication,” Behrens says.
When using two-factor IDs, if a hacker logs in from an unknown location, he or she wouldn’t just need a stolen password. Using this technology, the hacker would also need a one-time code sent by Twitter — delivered to a cellphone or a secure email address — before he could get in.
This approach isn’t foolproof, but Twitter has hired engineers to begin rolling it out.
Still, Behrens says the primary responsibility for keeping social media accounts secure rests with the people and institutions that use them. And many need better passwords, better practices and better defenses against hackers.