Skip to main content

Twitter hack has lessons for businesses

title
By Tom Flynn
16 July 2020
cyber-security
social-media
twitter
News

By Tom Flynn, Partner

For those of us involved in the running of a verified (blue ticked) Twitter account, a hack is the stuff of nightmares. And a hack that involves followers losing money is right at the top of the list of things you hope never happen.

Twitter went into a frenzy late on Thursday as weird messages started appearing on the accounts of some very high profile figures – from former US President Barack Obama and Democratic presidential candidate Joe Biden through to huge brands such as Apple (which has never tweeted from its corporate account before, so appeared even more strange) and Uber. But how had so many (presumably) security conscious figures been hacked at once?

It seemed obvious from the start that this was much more likely to be a hack of a third party app or of Twitter itself than a breach of the accounts themselves as a hacker would have to get very lucky to access large numbers of verified accounts at the same time. For example, the Metropolitan Police press account was hacked last year via a third party app which had permission to tweet on their behalf.

At first Twitter themselves seemed unsure of what was happening, with the @TwitterSupport account claiming they were ‘taking steps to fix it’ but providing no further details. As a precaution, Twitter locked all verified accounts for several hours to prevent them tweeting or changing passwords.

So how can organisations protect themselves against this kind of attack? The short answer is: they can’t. This was ‘a coordinated social engineering attack’ according to Twitter’s latest statement, meaning the hack was human error rather than technology failure – the hackers targeted Twitter staff with high level admin access.

But there are steps to protect against more common attacks. Two factor authentication is a hassle but makes unauthorised access much less likely. And use scheduling tools and other third party apps with a proven track record of security.

Finally, make sure you’ve got other means of communicating with your audience. If you lose access to your account, you can use other social media platforms to tell your customers what has happened. The trust people put in high profile figures and brands led to over $100,000 being lost in this particular scam – and would have been so much higher if they had been asking for card payments rather than Bitcoin. In this case, Twitter will understandably take much of the blame, but in a traditional hack, the finger will be pointing at you. And online trust isn’t something you can afford to lose.