Some Solutions to Social Media Hijacking

Email password breaches are the root of many hijackings

by Ike Pigott |

The recent hacking of two major brand accounts (Burger King and Jeep) should have prompted some conversations and concern among those of you who manage a Twitter account for your brand. Whether you’re a Fortune 500 multinational or a local small business armed with Tweetdeck and a prayer, it’s time to do some deeper thinking about security.

The Good News First

  • Fortunately, for both Jeep and Burger King, no permanent damage was done to their reputation or the value of their respective brands.
  • Twitter issued a security fix!

The Bad News

  • The lack of lasting effects served to drop this off the radar for those who might have a stake in reputation management, and “out of sight” generally translates to “out of mind” on things we really don’t understand.
  • The “fix” Twitter announced only covers a small subset of the vulnerabilities.

How Accounts Get Hacked

Just like any other social network that involves password security, Twitter accounts get compromised in several different ways. If you have ever received a Direct Message from someone that looks like this:

  • OMG! Did you know they had this video of you?? (malware link)
  • I can’t believe the things they are saying about you on this blog (malware link)
  • HAHAHA how old were you in this picture? (malware link)

This is good old-fashioned human engineering at play, designed to amp your curiosity and get you to click. Once you do, the site at the end of the trail of link-shorteners drops some javascript on you, and depending on the security of your browser it may broadcast itself to your friends through your account. (Which typically means that moments before you get that DM, the sender clicked that very link…)

In the past, Twitter has told people affected by those malware links to change their passwords, as a precaution. It’s hard to know for sure if your password was snagged, but better safe than sorry, and I am not about to doubt the ingenuity of a hacker’s ability to pull it over the net.

But not all hijackings involve links. Often, it is a failure to protect the email address associated with the account. If you’re hesitant about strong passwords because you can’t remember them, and limited memory, then save the strong stuff for your mail accounts. The password to your email is often the keys to the kingdom. Say that out loud with me. The password to your email is often the keys to the kingdom. From there, you can get anywhere. Twitter, Facebook, bank accounts, your Dropbox… just, wow.

Your email is under attack all the time, by the way. You laugh off most of them, because it’s so obvious that you don’t have an account with Royal Bank of Scotland, and Citi, and eBay, and PayPal, and Wells Fargo, and waitaminit I do have some of those. We laugh at the ones that are so obviously not meant for us that we might fall for the others.

Let’s say for a moment that I wanted to be a complete jerk and hack the Twitter account for Social Media Explorer. I could try the brute force hack, but that would be empty and time-consuming. Or, I could simply scrape the web for email addresses associated with SME, and then send them an email that says:

FROM: Corp Email Security

SUBJECT: Potential hacking

We’ve recently learned about attempts to improperly access the email server. We’re on top of things, but just want to ensure safe delivery of our findings. Please log in to your email below to authenticate. Thanks.

Now, we haven’t heard the specifics of how Jeep and Burger King got hacked, but emails similar to the one above were circulating a month or so ago. Wouldn’t surprise me in the least if the email accounts of a brand manager or two got snared in something like this.

Twitter’s Fix Is Incomplete

Twitter announced action less than a day after Jeep’s episode, but it isn’t enough. Essentially, Twitter is using a more robust security protocol in the sending of its official notification emails: the Daily Digest, the New Followers, the You Got a Direct Message… So if I tried getting your Twitter password by spoofing a Twitter email address, it would be more easily recognized as fake. But that does nothing for the person whose email account is compromised completely!

But Ike,” you say… “Ike, that’s not Twitter’s problem. That’s on you.” And you’re right. But there is a very simple step Twitter ought to take that would make brand managers more secure. It’s called Two-Step Authentication, and you probably already use it. It involves a secondary step anytime a critical account change is requested. If you want to change the password, or the account name, or the email address associated with the account — it makes you jump through an additional hoop. It might be a challenge question, or could be a text message to a cell phone you’ve associated with that account. Essentially, the Two-Step foils many associated attacks.

(If you feel like Twitter ought to make this available, why not speak up in the comments below, and tell us which brands you represent. Ad-hoc petition for the win.)

But if you can’t wait for that to happen…

Best Practices for Hack Avoidance

  • Change passwords often
  • Be extra-wary of any email that asks for one, or gives you a link to sign in
  • Train your team on how to recognize malware link-jacks
  • Use a hidden email address

That last one bears some explaining.

If I want to take a stab at getting the SME Twitter password, I can try phishing for the email address associated with the account. But if the Twitter handle is registered to, then I probably won’t find it. And if that email address is used for nothing else, I won’t know it exists.

As a best practice, your email addresses for your social accounts should not be your regular address. Use an alias. Set a rule that forwards the email from to the address you regularly check. But don’t tie it to a personal address. (If you represent a brand big enough to have a “team,” this is a great idea anyway so you can avoid the issues that arise when a team-member leaves the company.)

Most importantly, have a plan. Know the process for initiating a password reset, and go ahead and assemble a Cheat Sheet of who you would need to alert for each of the networks you’re using. You will never be hack-proof, but the above steps will make you a harder target, at least until Twitter and Pinterest and others step up their own game with Two-Step Authentication.

About the Author

Ike Pigott

In his previous life, Ike Pigott was an Emmy-winning TV reporter, who turned his insider's knowledge of the news cycle into a crisis communications consultancy. At the American Red Cross, serving as Communication and Government Relations Director for five southeastern states, Ike pioneered the use of social media in disaster. Now -- by day -- he is a communications strategist for Alabama Power and a Social Media Apologist; by night, he lurks at Occam's RazR, where he writes about the overlaps and absurdities in communications, technology, journalism and society. Find out how you can connect with Ike or follow him on Twitter at @ikepigott. He also recently won the coveted "Social Media Explorer contributing writer with the longest Bio" award.