Sophos Cloud Optix
This is not the kind of thing that Salem State University wants attributed to its Twitter stream on the eve of commencement:
Trump has done nothing but great things for our country during his presidency and will fix all the wrong that [expletive] president did
Our education revolves around white working americans, we don’t need you immigrant thieves in our school we are better than this
All that black lives matter [expletive] is unneeded and unnecessary in our community.
Nonetheless, officials at the university, which is near Boston, said they were “appalled” to see these and other racist and sexist tweets sent out on Friday night after the school’s Twitter account was hijacked.
They managed to wrestle the account back near midnight, sending out this tweet:
The official Salem State University Twitter account has been hacked by unknown miscreant(s) and will be shut down forthwith.
— Salem State Police (@SSUPolice) May 20, 2017
…and deleting the hijacker’s messages shortly thereafter.
CBS Boston quoted Nicole Giambusso of the university:
We’re appalled by the language that was used. It in no way represents Salem State University and our community here.
The school apologized in this statement on Saturday:
We are appalled by the hateful nature of these tweets, which in no way represent the views of Salem State University. We have notified our social media followers of this compromise and are working with IT to implement additional security safeguards.
What safeguards stop Twitter hijackers?
Salem State University, we’re glad to hear you’re looking into how to stop your Twitter account from getting hacked away from you, and we hope that other universities, politicians, celebs, or plain old non-famous civilians follow suit. If it’s any consolation, you’ve just joined a who’s who list of hijacked Twitter accounts that have included these big names:
- John Podesta, chairman of Hillary Clinton’s presidential campaign.
- Mark Zuckerberg – Mr Social Media himself.
- NASA’s Kepler account.
- Black Lives Matter activist and politician DeRay Mckesson.
- Twitter CFO Anthony Noto.
As we’ve noted in the past, there are plenty of ways to have your Twitter account hijacked:
- Clicking on phishy links
- Using feeble passwords instead of unique, hefty brutes
- Poor password hygiene, such as using your pet’s name or simply handing over your password to strangers.
Of course, Twitter accounts of high-visibility targets – businesses, celebrities or big brands such as those associated with universities, for example – are particularly tempting to hijackers.
Twitter has attempted to make it safer to have one of those tempting, highly targeted accounts.
In 2015, the company introduced a feature called TweetDeck Teams that lets users share Twitter accounts without having to share passwords. Twitter added the feature to TweetDeck, the account managing software it picked up in 2011.
TweetDeck Teams enables teams to delegate different access levels to team mates for as long as they need it. Then, when they don’t, zip! You can take it away. Twitter has a video showing how to use it at the link above, which you can also see here on YouTube.
Twitter said at the time that if you were sharing your account, you could change the password and revoke app access to ensure that from now on only recently added people would have access.
The tool also makes it possible for anyone sharing an account to use Twitter’s two-factor authentication (2FA), or what it calls “login verification”.
That will send a one-time login code to a user’s phone that they need to enter in addition to a username and password. It’s another layer of protection against would-be account hijackers, since they’d need not only your login credentials but also your phone to take over your feed.
There have been multiple high-profile hijacking victims who’ve admitted that 2FA might have helped them avoid the nightmare of having their accounts taken over, their data wiped and/or vicious content posted on their Twitter accounts: technology reporter Mat Honan said as much after he had all of the data wiped from his iPhone, iPad and MacBook and had his Gmail and Twitter accounts hijacked.
But it’s worth noting that 2FA hasn’t been enough to stop some determined attackers. Naoki Hiroshima, a software developer and the rightful owner of the valuable @N Twitter handle, credits 2FA with probably preventing an attacker from logging into his PayPal account. But 2FA didn’t keep the attacker from socially engineering and extorting his @N handle away.
Nor did it help DeRay Mckesson, whose account was whisked out from under him by somebody using just his name and the last four digits of his taxpayer ID.
But while there are a few exceptions like these, there are heaven knows how many more hijackings that have been stopped by 2FA, so turn it on whenever and wherever you can.
Twitter’s Teams is yet more protection for high-profile accounts that would suffer a whole lot of embarrassment if they were to be hijacked.
Such accounts are typically updated by multiple people, and hence, may well be more likely to have limp, easy passwords that the whole team can remember – or ones that the team sends to each other via email/texting or that are scribbled onto sticky notes and slapped onto monitors.
Of course, all accounts should be secured with passwords that are tough as nails, be they for celebs, politicians, Twitter execs, or plain old civilians. Here’s our short, sweet video on how to hammer out a good set of nails for your accounts:
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)