Some Solutions to Social Media Hijacking

by · March 1, 201315 comments

The recent hacking of two major brand accounts (Burger King and Jeep) should have prompted some conversations and concern among those of you who manage a Twitter account for your brand. Whether you’re a Fortune 500 multinational or a local small business armed with Tweetdeck and a prayer, it’s time to do some deeper thinking about security.

The Good News First

  • Fortunately, for both Jeep and Burger King, no permanent damage was done to their reputation or the value of their respective brands.
  • Twitter issued a security fix!

The Bad News

  • The lack of lasting effects served to drop this off the radar for those who might have a stake in reputation management, and “out of sight” generally translates to “out of mind” on things we really don’t understand.
  • The “fix” Twitter announced only covers a small subset of the vulnerabilities.

How Accounts Get Hacked

Just like any other social network that involves password security, Twitter accounts get compromised in several different ways. If you have ever received a Direct Message from someone that looks like this:

  • OMG! Did you know they had this video of you?? (malware link)
  • I can’t believe the things they are saying about you on this blog (malware link)
  • HAHAHA how old were you in this picture? (malware link)

This is good old-fashioned human engineering at play, designed to amp your curiosity and get you to click. Once you do, the site at the end of the trail of link-shorteners drops some javascript on you, and depending on the security of your browser it may broadcast itself to your friends through your account. (Which typically means that moments before you get that DM, the sender clicked that very link…)

In the past, Twitter has told people affected by those malware links to change their passwords, as a precaution. It’s hard to know for sure if your password was snagged, but better safe than sorry, and I am not about to doubt the ingenuity of a hacker’s ability to pull it over the net.

But not all hijackings involve links. Often, it is a failure to protect the email address associated with the account. If you’re hesitant about strong passwords because you can’t remember them, and limited memory, then save the strong stuff for your mail accounts. The password to your email is often the keys to the kingdom. Say that out loud with me. The password to your email is often the keys to the kingdom. From there, you can get anywhere. Twitter, Facebook, bank accounts, your Dropbox… just, wow.

Your email is under attack all the time, by the way. You laugh off most of them, because it’s so obvious that you don’t have an account with Royal Bank of Scotland, and Citi, and eBay, and PayPal, and Wells Fargo, and waitaminit I do have some of those. We laugh at the ones that are so obviously not meant for us that we might fall for the others.

Let’s say for a moment that I wanted to be a complete jerk and hack the Twitter account for Social Media Explorer. I could try the brute force hack, but that would be empty and time-consuming. Or, I could simply scrape the web for email addresses associated with SME, and then send them an email that says:

FROM: Corp Email Security

SUBJECT: Potential hacking

We’ve recently learned about attempts to improperly access the SME.com email server. We’re on top of things, but just want to ensure safe delivery of our findings. Please log in to your email below to authenticate. Thanks.

Now, we haven’t heard the specifics of how Jeep and Burger King got hacked, but emails similar to the one above were circulating a month or so ago. Wouldn’t surprise me in the least if the email accounts of a brand manager or two got snared in something like this.

Twitter’s Fix Is Incomplete

Twitter announced action less than a day after Jeep’s episode, but it isn’t enough. Essentially, Twitter is using a more robust security protocol in the sending of its official notification emails: the Daily Digest, the New Followers, the You Got a Direct Message… So if I tried getting your Twitter password by spoofing a Twitter email address, it would be more easily recognized as fake. But that does nothing for the person whose email account is compromised completely!

But Ike,” you say… “Ike, that’s not Twitter’s problem. That’s on you.” And you’re right. But there is a very simple step Twitter ought to take that would make brand managers more secure. It’s called Two-Step Authentication, and you probably already use it. It involves a secondary step anytime a critical account change is requested. If you want to change the password, or the account name, or the email address associated with the account — it makes you jump through an additional hoop. It might be a challenge question, or could be a text message to a cell phone you’ve associated with that account. Essentially, the Two-Step foils many associated attacks.

(If you feel like Twitter ought to make this available, why not speak up in the comments below, and tell us which brands you represent. Ad-hoc petition for the win.)

But if you can’t wait for that to happen…

Best Practices for Hack Avoidance

  • Change passwords often
  • Be extra-wary of any email that asks for one, or gives you a link to sign in
  • Train your team on how to recognize malware link-jacks
  • Use a hidden email address

That last one bears some explaining.

If I want to take a stab at getting the SME Twitter password, I can try phishing for the email address associated with the account. But if the Twitter handle is registered to ZaphodDaleks20xd6@SME.com, then I probably won’t find it. And if that email address is used for nothing else, I won’t know it exists.

As a best practice, your email addresses for your social accounts should not be your regular address. Use an alias. Set a rule that forwards the email from ZaphodDaleks20xd6@SME.com to the address you regularly check. But don’t tie it to a personal address. (If you represent a brand big enough to have a “team,” this is a great idea anyway so you can avoid the issues that arise when a team-member leaves the company.)

Most importantly, have a plan. Know the process for initiating a password reset, and go ahead and assemble a Cheat Sheet of who you would need to alert for each of the networks you’re using. You will never be hack-proof, but the above steps will make you a harder target, at least until Twitter and Pinterest and others step up their own game with Two-Step Authentication.

Did you enjoy this blog post? If so, then why not:Leave Comment Below | Subscribe To This Blog | Sign Up For Our Newsletter |

About Ike Pigott

Ike Pigott

In his previous life, Ike Pigott was an Emmy-winning TV reporter, who turned his insider's knowledge of the news cycle into a crisis communications consultancy. At the American Red Cross, serving as Communication and Government Relations Director for five southeastern states, Ike pioneered the use of social media in disaster. Now -- by day -- he is a communications strategist for Alabama Power and a Social Media Apologist; by night, he lurks at Occam's RazR, where he writes about the overlaps and absurdities in communications, technology, journalism and society. Find out how you can connect with Ike or follow him on Twitter at @ikepigott. He also recently won the coveted "Social Media Explorer contributing writer with the longest Bio" award.

Other posts by

Comments & Reactions

Comments Policy

Comments on Social Media Explorer are open to anyone. However, I will remove any comment that is disrespectful and not in the spirit of intelligent discourse. You are welcome to leave links to content relevant to the conversation, but I reserve the right to remove it if I don't see the relevancy. Be nice, have fun. Fair?

  • http://www.rancorinfotech.com/ Aasma

    I always keep my email id hidden and generally don’t click on any link, that says something which is too good to believe.

    • http://occamsrazr.com Ike Pigott

      Good for you! I’m right there with you, but there are a lot of companies that aren’t taking some of those simple measures. I hope this post gets their attention (and Twitter’s, too.)

  • http://twitter.com/krysVS Krys VanSlyke (VS)

    great article, if for no other reason than the density of geek references in that example email address! 

    Bust seriously, thanks for giving me something handy to send people to for this kind of issue.

    • http://occamsrazr.com Ike Pigott

      You’re welcome to share it along, glad you find it valuable.

      And anyone who knows all three references without looking them up is downright Shiny.

  • http://www.swordandthescript.com/ Frank Strong

    Good stuff Ike, as always.  Haven’t thought about an alternate email for registration.  It’s a good idea.  I think Gmail provides some tools for that too that make it easy.  At least I remember reading that somewhere and maybe its time to go look for it again. 

    • http://occamsrazr.com Ike Pigott

      The new Outlook.com is amazing, it supports up to 15 aliases per inbox.

      Go check it out.

  • Pingback: Advisers benefit from “listening” on social media | Open Knowledge

  • OBVAVirtualAssistant

    A really useful post thank you – this is such a minefield and so annoying that we are unable to stop hijacking.

    • http://occamsrazr.com Ike Pigott

      Thanks for the kind words — and maybe this becomes a rallying cry for better tools.

  • http://www.garnerseo.co.uk/ Mick Edwards

    Great point about using obscure email addresses forwarded to a main account.

    • http://occamsrazr.com Ike Pigott

      Thanks. It’s not the perfect solution, but you have to use different tactics to spoil different avenues of attack.

      Additionally, if you’re in an enterprise environment, it’s wise to use an account that isn’t tied to an individual. That way, when the employee leaves you aren’t losing total control.

  • http://becomemade.net/ DavidCrowell

    I always said don’t click on things that you dont need to be looking at. That would save a lot of people.

    • http://occamsrazr.com Ike Pigott

      Agreed — but those who engage on behalf of brands do find it necessary to do “due diligence” on tracking things down. Sometimes, you find gold while mining the links — and sometimes what you find is explosive from a reputation-protection standpoint.

  • Pingback: Some Solutions to Social Media Hijacking « MindCorp | Newsfeed

  • Pingback: How Net Promoter Can Revolutionize Your Digital Marketing « MindCorp | Newsfeed