Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on August 31, 2011

The truth about protecting your social media accounts


The truth about protecting your social media accounts

For all the time, money, and effort that corporations spend on securing their data, email, websites, etc., there’s a surprisingly small amount of consideration given to corporate social media accounts. Need I remind you about Scriptkiddies’ hack of Fox @FoxNewsPolitics that put a number of secret service agents on high alert? Whether it’s your organizations social media channels, or just your own personal rep on the line, taking the time to shore up your account against hackers is time well spent.

The Setup

To be clear, the scenarios I’ll outline below are not actual hacks. A hack is the end goal of a sometimes quite sophisticated method of obtaining your social media account details. The beginning of this chain usually begins with a phish. If you’ve ever received a notice from a Nigerian prince, then you’re already privy to what a phish looks like. If it’s too good to be true, too awful to not have heard it multiple times elsewhere, or simply a message out of the blue from a random stranger; there’s a good chance you’re looking at chum.

A common phish that’s been making it’s way around the Twitterverse for a bit now is the “Is this you in this video?” or similar derivations thereof. Sadly, hackers are preying upon natural human curiosity, especially when it comes to oneself. What this actually is, is a redirect to any number of harmful URLs floating around on the ‘net that are worms that once clicked, self replicate and can make their way through networks. Once an outside source’s worm has infected enough, or the right areas of a network, say goodbye to control, as a hack is now officially in progress.

Another growing trend across social networks is for phishers to capitalize on popular news events, quickly set up a site that mimics a true source, or sometimes not even bother, and spread their infected URL’s across the social web.

On the Facebook front, 9 times out of 10, a phish is propagated from a previous hack (think FaceNiff or Firesheep). Once a user account is infiltrated, the hacker will then post, what appears to be, a link to a video. If you look carefully, this “OMG! Most amazing (fill in the blank here)!!” video is pointing towards apps.facebook.com, something you’d not normally expect for a video link. This link then takes you to a Facebook app that then quickly redirects you to a very much Facebook looking site (also known as a spoof), and prompts you to login. Enter those precious details, and congrats, the phish is over and the hack may begin at any time.

Remember, if your social media account is greeted with any links to web pages, videos, photos, etc.: Shields Up!

The Solution

Ok, ok. I get it. Not everyone is hyper vigilant in their day-to-day dealings with their favorite social networks. So what can be done to avoid such nastiness?

A good starting point is to carefully control and limit who has access to the corporate, or personal, social media login details. That’s not to say that collaborative interactions with customers and fans is discouraged, but how many key players do you really have running the show? I’d bet that Jim from Accounting probably has a few more forecasts and budgets to focus on before he gets to converse with the public about Acme Corp.’s intricate financial reporting details. And for those that do have access to the social media login details, are they trained? Have they read the paragraphs above, are they well versed in spotting a phish?

Once you’ve put the lockdown on who has the keys, it’s time to put your social media house security in order. Here’s a rundown on what you should be taking a look at:

  1. https. The http we all know and love…with an added dash of Security. By adding the S, you’re enabling secure browsing and encryption of your communications. In Twitter, check the “Always use HTTPS” box which can be found at the very bottom of settings -> account.
    For Facebook, navigate to account->account settings->security.
  2. 3rd party apps. Sure, we all use them from time to time, but when was the last time you actually used that Twitt3r_DJ app to broadcast your live set? The same goes for Facebook. Make it part of your monthly review to regularly check in on which apps you’ve granted access to your account. If you haven’t used that particular app in the past month, delete it or revoke access. Remember, it only takes one of these apps to become a port of entry, and by no fault of your own, you’re now looking at a security threat.
  3. Notify me. Facebook offers a handy service that, when enabled, will prompt the user for a security code each time an unrecognized device attempts to access your account. When used in combination with the Login Notifications feature, this might not thwart off the high-end hackers, but it’ll stop the noobs in their tracks, as well as give you a heads up that it’s time to change your password.
  4. Change your password. I’m a huge fan of 1Password, but there are others out there that will do just about the same. Along with your monthly review of third-party applications, toss a password change in there as well. 1Password, Keepass, and others will offer a random password generator feature; put it to use! If you’re feeling particularly jovial, do it on a Friday, and “forget” to notify the rest of your team members until Tuesday. Tread with caution.
  5. 1 account per channel. If you’re a personal user, my guess is that you’re using the same email address for every social network you’re on. Likewise, I’ll bet 85% of you use the same, or a simplistic variation of, password for each of these sites. Before going any further, please see the bullet point above. Corporate and team users will want to think about establishing various email address for each separate social media account.

Why? If your organization is using socialmedia@acmecorp.com to login to the majority of social media channels, you’re already one step behind the hackers, as they now have one of the two crucial elements of gaining access to your account. If you’re using the same password all over the place, brother, your day just got a whole lot more interesting, and not in a good way. Do not simply go down the line, twitter@acme, facebook@acme, etc., rather, apply some variation that most can remember, but not all can guess. Twlt3r@acme, and f4c3b00k@acme could be some possible combinations.

The Cleanup

So you’ve done just about everything that you can do to secure your social media channels, but it looks like Matthew Broderick has been sent to the Principle’s Office and managed to obtain your passwords (again). What now?

Follow, to a T, the social media hacking procedure you and your team put in place months ago. I’m sorry, what? You don’t have a, “Holy kaw! We were hacked! Ok everyone, remain calm, this is what we do,” plan in place? Fear not, here’s a handy outline:

  • Light up the lines and alert everyone in the social media team to the intrusion. Additional department heads should also be alerted including, IT, marketing and PR, legal, etc.
  • As quickly as possible, send out notification that your account(s) have been hacked. A blog entry, a fellow social media persona at another corp., a frontpage message, etc. can all help to mitigate the damage. Ensure and inform fans/follows of the incident, and let them know what you’re doing to rectify the situation. Once “normal” activity has been restored, continue to inform your fanbase about what happened, what data, if any was accessed, and what you’re doing in the future to ensure that this never happens again. Like re-reading this article, for example.
  • As soon as you’ve noticed some suspicious activity, attempt to change your password(s). If you’re able to reset your password, that’s a good thing, as your hacker has not arrived at this step of control. If you are unable to change your password, the hacker has already done you the unfortunate favor. Twitter, Facebook, and most other social networks will be able to assist you in recovering what is rightfully yours.
  • Reporting the incident to authorities may be mandatory depending on the severity of the incident. If significant enough, an insurance claims investigator will certainly want to see a report. Also let the social network or service in question know of the attack. They keep logs and records, and if an investigation does come to fruition, it’s always better to have reported the incident than not.
  • Take stock in What’s happened. A hack of your social media account(s) may be just that, and nothing more. However, your IT department will want to conduct a thorough review of the incident, as hacking your Twitter account may be part of a larger, unseen operation running in the background. Is the Twitter hack just a diversion to pull IT resources away from their desk?

While a number of these points and actions seem simple and obvious, most of us are juggling 5 things at once, and don’t always stop, think, view, and then click. With a bit of pre-social security training, and a well thought out and in-place social media disaster program, you can cut, “OMG, we’re doomed!” down to a simple, “When was the last time we were hacked?” or at worst, “Ok, that’s not fun…but we managed it, and we’ll continue managing it, ensuring that it doesn’t happen again.”

Get the TNW newsletter

Get the most important tech news in your inbox each week.