On May 3rd, Twitter asked its 336 million users to change their passwords due to an internal bug. The company discovered stored passwords unmasked in an internal log.
As more companies embrace social media as a key marketing channel, how can they simultaneously protect the confidential data of their users and employees?
The Twitter bug is just one anecdote of how bad actors can potentially access a company’s compromised social account passwords. There are dozens of active sites on the dark web that serve as marketplaces for cybercriminals to buy and sell stolen credentials. For an average price of $15, criminals can buy a credential for almost any kind of company you can imagine.
Social attacks are on the rise
Organizations use an average of 10 unique apps on their Twitter accounts and six apps on Facebook. Companies with very active social feeds can have as many as 35 authorized publishing apps on a single Twitter account. This introduces a high level of risk. Each admin and authorized publishing app becomes part of the attack surface for each social account.
Attackers are leveraging this risk. In the past year, we’ve seen a slew of companies fall victim to a hacked social brand account. Here are five examples that made the headlines:
- This month, Buffalo Wild Wings Twitter account was hacked and spread crude and racist comments, prompting national attention and a public apology
- A YouTube manager’s Twitter account was hacked to spread fake news during an active shooting at YouTube’s headquarters.
- HBO’s popular “Game of Thrones” Facebook account was compromised with the criminals trying to get #HBOhacked trending.
- University of Washington, Madison had to suspend its Twitter account after a hacker posted a series of profane tweets to the university’s 160,000 followers.
- And, the BBC and New York Times have also fallen prey to hacks on their Twitter accounts that blasted their followers with fabricated headlines.
Social account hack details are often oversimplified. Many think it’s only a matter of mismanaged passwords. But the reality is often more complex. The high number of social accounts with complex operating environments sit outside a company’s infrastructure and thus do not garner the kind of corporate investment in security controls that the company’s website and internal email systems enjoy.
But without the proper security controls in place, it’s difficult to detect a compromise until it is too late.
What can organizations do to combat attacks on social media?
Organizations should ensure their social accounts have automated tools in place that are trained to detect and secure against account hacks.
Your defense technology should understand your approved account profile settings and constantly monitor for any unauthorized changes. In the event of an unauthorized change, your defense system should instantly send an alert and can lock down your account.
In addition, your technology should analyze your corporate posts and publishing behaviors for malicious content or unexpected changes that indicate a hack and should automatically delete any offending hacker-posted content. This step is essential to ensure your social engagement is preserved and your organization doesn’t join the “hacked company news headlines club.”
In our modern, digitally-connected world, cybercriminals can easily hack a company’s social media accounts. Learn how your security and marketing teams can protect your accounts with Proofpoint Social Patrol.
Subscribe to the Proofpoint Blog