It seems like company Twitter accounts being attacked is almost the norm these days; today’s news that the US Central Command’s account was compromised is just the latest in a string on attacks on corporate Twitter accounts.
The thing is, if you’ve ever run social media for a brand, you probably know just how bad Twitter is at providing tools for companies to manage their account across teams. The service doesn’t yet offer any meaningful way to share a Twitter account beyond directly giving out the password to those that need access.
When Twitter’s two-factor arrived, many of us hoped that some security for company accounts was finally here, but it still isn’t. Twitter’s two-factor is great, but flawed when used for teams. In effect, anyone with your company’s Twitter password is a target for social engineering since those users effectively have god-mode access.
The solution that many use to delegate access across teams is to use a tool like Hootsuite to dish access out to team members without revealing the password. Even this method isn’t perfect, since you’re now relying on yet another company to keep your account secure.
Despite this, in most cases the master Twitter password is still shared by a few people to access Twitter directly on the web or via the Twitter apps for when necessary.
There’s no effective way to revoke access from a user without resetting the password for everyone and Twitter’s two-factor doesn’t work in this sort of environment because it can only be used on a single phone. It can also be used as a weapon against you, if an attacker manages to get in and change the device or SMS number it’s attached to, then you’re locked out for good.
All it takes is a user with the password to fall for a phishing attack or approve a malicious application and then you could see a result just like today’s attack. The only way out is to reset the password again, before the attackers do.
With Twitter being embraced by big companies, celebrities and other brands around the world, one would imagine that it should have better tools by now for delegating access. News organizations are obvious targets because they’re trusted and have large social reach, yet there are still no tools to protect them.
This isn’t something that’s going to go away until Twitter builds better security; attacks like this happen over and over again. It’s hugely damaging for the brands that are targeted, but should Twitter be doing more, or do employees need better education?
It’s a mix of both; employees need to be more aware of just how real security threats are against them, but Twitter shouldn’t be excused for not providing tools to help manage security better for teams.
It’s disappointing that an 8-year-old network still doesn’t provide delegated access, where employees are required to authenticate using their own accounts to access Twitter.
There are some workarounds, for teams that want to protect themselves as best they can. Some quick advice for teams looking to ensure they’re well protected:
- Use a tool like Meldium to share account access without passwords ever being revealed.
- Authorize a third party social media tool like Hootsuite or Respondly and only use these methods for employee Twitter access.
- Change the company Twitter password regularly and make sure it’s only accessible to a small amount of people.
- Review authenticated Twitter apps frequently.
In a world where a single tweet could put your company (or government organization) at risk, we need better tools to protect against attacks. Even in 2015, there’s still a single point of failure: a password, shared across employees, could cause your Twitter account to be out of your control.