Last month, the BBC found a number of its official Twitter accounts hacked following a successful attempt to phish log-in information and passwords from their owners via a series of emails to staff. Since then, both the Associated Press and the British newspaper the Guardian have found official Twitter feeds hi-jacked by hackers, with the @AP account managing to cause mild panic on Wall Street with a tweet announcing an attack on President Obama in the White House.
In response to these attacks, Twitter has released a memo to news organizations offering advice on how to keep control of their accounts, as well as suggestions of what to look for from those trying to take that away from them. “There have been several recent incidents of high-profile news and media Twitter handles being compromised,” the memo notes. “These incidents appear to be spear phishing attacks that target your corporate email. Promoting individual awareness of these attacks within your organization and following the security guidelines below is vital to preventing abuse of your Twitter accounts.”
Amongst the guidelines suggested by Twitter:
- Change Twitter passwords immediately. Passwords should be, it’s suggested, “at least 20 characters long” and “either randomly-generated passwords (like ‘LauH6maicaza1Neez3zi’) or a random string of words (like ‘hewn cloths titles yachts refine’).” “Never send passwords via e-mail, even internally,” the memo warns. Passwords, it goes on to suggest, should be changed on a regular basis to confound potential hackers.
- Keep email secure. “If your email provider supports two-factor authentication,” the memo says, “enable it.” Later in the memo, it goes on to suggest that the security team is brought in to make sure that email is “as safe as possible,” even if that means bringing in third-party security providers.
- Rework Twitter process within companies. “Minimize the number of people that have access,” the memo suggests. “Even if you use a third-party platform to avoid sharing the actual Twitter account password, each of these people is a possible avenue for phishing or other compromise.” Additionally, consider only using one designated computer per Twitter account – something that seems somewhat at odds with the mobility and speed of the platform in general.
In the unfortunate instance that you discover that your account has been hacked, the memo reports, the first thing that should be done is to contact Twitter with the word “Hacking” in the email subject line and copies of any emails suspected as phishing efforts.
The memo points to how seriously Twitter is taking the recent hacks, and how concerned the company is for the credibility of Twitter as an information medium in future. “We believe that these attacks will continue,” the memo warns, “and that news and media organizations will continue to be high value targets to hackers.” So who will be next?