The Associated Press (AP) has admitted that its Twitter account was hacked and used to send out a false report of explosions at the White House.
"Breaking: Two Explosions in the White House and Barack Obama is injured" was the message that went out to the Twittersphere.
With just under two million followers, including myriads in the financial sector, AP's Twitter account has a wide reach, and is influential.
Influential enough, it seems, that even a false rumour of this sort can have a visible affect on the stock market.
The Dow Jones Industrial Average, for instance, shows a clearly-noticeable stutter at the time of this offending tweet:
→ If you're a market analyst, you might consider this a "brief plunge"; if you're a lexicographer, you might insist that a "plunge" needs to be both extreme and uncontrollable; if you are an arithmetician, you might say simply that the Dow dipped very slightly, by under 1%, before rising to a level very slightly higher than before the slight drop.
Just how the hack was orchestrated is not yet clear, but AP's own notification observes that:
The attack on AP's Twitter account and the AP Mobile Twitter account was preceded by phishing attempts on AP's corporate network.
Of course, given the prevalence of phishing attempts by email, this phishing might merely be coincidental.
There are many ways other than phishing by which the passwords to your corporate Twitter could end up in the hands of cybercriminals, from keyloggers, through poor password choice and password reuse, to insider abuse of official privilege.
→ A keylogger is malware that sits in the background on your computer and records what you type when you fill in password forms; poor password choice is using easily-guessed passwords like "letmein"; password reuse is using the same password on many sites so a criminal needs to penetrate only the weakest one; and insider abuse is when someone who is trusted and authorised goes rogue.
Another challenge in the business world is that a single Twitter password might be shared by many staff in marketing, all of whom are under pressure to "keep those Tweets coming."
Only one of those users needs to lose, leak or divulge the password to put everyone in danger.
Interestingly, the fact that information published on Twitter is invariably meant to be public (so there is no need for confidentiality) can mislead users into treating the overall security of their Twitter accounts less seriously.
But security isn't only about confidentiality.
It also requires a robust approach to authenticity, to prevent imposters ftom publishing possibly harmful information with your imprimatur.
And it requires integrity, to prevent bogus or modified information being accepted as correct.
So here are three pieces of safety advice you can follow when it come to social networks:
- To journalists and Dow Jones investors, "Check your facts."
- To corporate Twitter users, "Don't share your corporate password widely."
- To Twitter itself, "Bring on two factor authentication, at least for corporate users."