Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5 Steps To Prevent Twitter Hacks

Twitter security is in the spotlight after high-profile account hijacks that hit Reuters and a tech journalist. Here are protective moves for individuals and enterprises.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Remember when kids used to knock over garbage cans for fun? Now, at least some of that energy appears to have been redirected online, toward the takeover of Twitter accounts.

For starters, a 19-year-old who goes by the handle "Phobia" Friday hacked into journalist Mat Honan's Twitter account, after first gaining access to Honan's Amazon, Apple, and Google accounts, which he erased--together with Honan's iPhone, iPad, and Macbook Air--along the way.

Sunday, an attacker with more of a political bent hacked into the @ReutersTech Twitter feed, which has 17,000 followers, and began tweeting such messages as "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria" and "Obama signs executive order banning any further investigation of 9/11." Security experts suspect that the Syrian Electronic Army--a self-described "virtual army" that enjoys at least tacit support from Syrian president Bashar al-Assad--was behind the takeover.

In the wake of those two high-profile Twitter account compromises--not to mention numerous past incidents involving other businesses--what can users of the online social network and microblogging service do to protect their accounts? Begin with these five steps.

1. Don't Tie Twitter To Webmail Accounts
Cloud services such as Twitter typically require an email address for a username. But one security misstep documented by Honan was the fact that he used his Gmail address--which was publicly listed on other sites--as his Twitter username. Once attackers successfully gained access to his Gmail account, they told Twitter to reset the password, which was emailed to Gmail, which allowed them to compromise the Twitter account and change the password to one of their choosing.

[ Planning is key to keeping your business going when you're hit with an exploit. Zero-Day Attacks Can Impact Business Continuity. ]

As Honan noted: "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter." To make online services such as Twitter harder for attackers to gain access to, use an email address that isn't hosted--or accessible--by a cloud service. If you must use a Gmail address, then employ Google's free two-factor authentication system.

2. Practice Proper Access Management
Accessing Honan's Twitter account gave attackers a bonus: they were also able to post to the Gizmodo Twitter feed, which has 416,000 followers. That capability came thanks to Honan having formerly been in control of Gizmodo's Twitter account. In other words, Gizmodo's information security department--per access management best practices--should have maintained an access control list that included Twitter, and deleted the link with Honan's Twitter account after he ceased working for the company.

3. Use Unique Passwords
While it might sound basic, also ensure that all passwords for corporate Twitter accounts are unique, as well as complex. For example, following the Fox News Twitter account hack last year--attackers issued fake tweets claiming that President Obama had been killed--security experts guessed that either Fox News had been using an easy-to-guess password, or that the password had been reused elsewhere.

4. Keep Self-Hosted Web Software Updated
Collateral damage was a theme in the Honan hack, and the same is true in the case of Reuters. Notably, attackers also compromised a WordPress blog hosted by Reuters, posted a fake interview with a Syrian rebel army leader that remained online for about six hours, and issued a tweet with a link to the interview.

Attackers likely gained access to the Reuters WordPress blog by exploiting known, exploitable vulnerabilities. Mark Jaquith, a lead WordPress developer as well as a member of its security team, told The Wall Street Journal that Reuters was using version 3.1.1 instead of the current version 3.4.1, which has the most recent security patches. "If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches," said Jaquith.

5. Secure All Blogs Set To Auto-Tweet
Many WordPress accounts are also set to automatically issue a tweet whenever a new post goes live. In such cases, attackers would only need to access a business' WordPress blog to begin issuing tweets in the company's name.

With that in mind, how can software such as WordPress be kept up to date? In-application warnings alert administrators whenever there's an update, but signing up for emailed vendor updates--especially relating to security fixes--is also essential, according to Chester Wisniewski, a senior security advisor at Sophos Canada. Meanwhile, he said that any company that outsources its blog should review the outsourcer's updating policies to see how quickly the software, as well as any related add-ons or infrastructure, will be patched.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2012 | 5:00:05 PM
re: 5 Steps To Prevent Twitter Hacks
. And they will continue to be hacked and defrauded until they implement some form of 2FA (two-factor authentication) where you can telesign into your account.
Mack Knife
Mack Knife,
User Rank: Apprentice
8/8/2012 | 10:30:08 PM
re: 5 Steps To Prevent Twitter Hacks
You forgot the most important step:

Do not use Twitter. Is your personality really so shallow that you must twit your every move, thought or happening. More important, do you really think others really care that much about what you do?

Your friends have become nothing more than hash tags; people you really don't know anymore and are more likely to be a bot than a person anyway.

Can you honestly say that between twitter and facebook that you can add up all the links and come up with a real person? You shamelessly give away your profile that twitter and facebook sell for money while you get what in return? Access? Access to what?

Go outside, smile at the next person you walk past and say "hi". Unless they are like most twits and faces, completely self absorbed, they will usually smile back and return the "hi". In that instant you will have connected with another human being and accomplished more than all the days and nights you spend twitting, facing or booking.

What a day it will be when the tipping point is reached and everyone realizes that twitter and facebook are really nothing but vapor.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
IBM Cloud Pak for Security (CP4S),,,, and could allow a privileged user to inject inject malicious data using a specially crafted HTTP request due to improper input validation.
PUBLISHED: 2021-05-14
IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query. IBM X-Force ID: 192642.
PUBLISHED: 2021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 195999.
PUBLISHED: 2021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
PUBLISHED: 2021-05-14
IBM QRadar User Behavior Analytics 1.0.0 through 4.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196001.