Skip to content

Naked Security

Computer Security News, Advice and Research
  • sophos.com
  • Free Tools
  • Intercept X
Award-winning computer security news
  • Twitter
  • Facebook
  • Google+
  • LinkedIn
  • Feed

Hacked Twitter account spits out poison – make sure yours isn’t next

24 May 2017 0 Twitter

Post navigation

Previous: News in brief: Dubai launches its first robocops; Samsung woes over iris recognition; IoT security criticised
Next: LastPass’s new cloud backup option – sunny skies or a brewing storm?
by Lisa Vaas
  • 0Share on Facebook
  • Share on Twitter
  • Share on Google+
  • Share on LinkedIn
  • Share on Reddit

This is not the kind of thing that Salem State University wants attributed to its Twitter stream on the eve of commencement:

Trump has done nothing but great things for our country during his presidency and will fix all the wrong that [expletive] president did

Our education revolves around white working americans, we don’t need you immigrant thieves in our school we are better than this

All that black lives matter [expletive] is unneeded and unnecessary in our community.

Nonetheless, officials at the university, which is near Boston, said they were “appalled” to see these and other racist and sexist tweets sent out on Friday night after the school’s Twitter account was hijacked.

They managed to wrestle the account back near midnight, sending out this tweet:

The official Salem State University Twitter account has been hacked by unknown miscreant(s) and will be shut down forthwith.

— Salem State Police (@SSUPolice) May 20, 2017

…and deleting the hijacker’s messages shortly thereafter.

Solving today's top network security problems.
Learn More

CBS Boston quoted Nicole Giambusso of the university:

We’re appalled by the language that was used. It in no way represents Salem State University and our community here.

The school apologized in this statement on Saturday:

We are appalled by the hateful nature of these tweets, which in no way represent the views of Salem State University. We have notified our social media followers of this compromise and are working with IT to implement additional security safeguards.

What safeguards stop Twitter hijackers?

Salem State University, we’re glad to hear you’re looking into how to stop your Twitter account from getting hacked away from you, and we hope that other universities, politicians, celebs, or plain old non-famous civilians follow suit. If it’s any consolation, you’ve just joined a who’s who list of hijacked Twitter accounts that have included these big names:

  • John Podesta, chairman of Hillary Clinton’s presidential campaign.
  • Mark Zuckerberg – Mr Social Media himself.
  • NASA’s Kepler account.
  • Black Lives Matter activist and politician DeRay Mckesson.
  • Twitter CFO Anthony Noto.

As we’ve noted in the past, there are plenty of ways to have your Twitter account hijacked:

  • Clicking on phishy links
  • Using feeble passwords instead of unique, hefty brutes
  • Poor password hygiene, such as using your pet’s name or simply handing over your password to strangers.

Of course, Twitter accounts of high-visibility targets – businesses, celebrities or big brands such as those associated with universities, for example – are particularly tempting to hijackers.

Twitter has attempted to make it safer to have one of those tempting, highly targeted accounts.

In 2015, the company introduced a feature called TweetDeck Teams that lets users share Twitter accounts without having to share passwords. Twitter added the feature to TweetDeck, the account managing software it picked up in 2011.

TweetDeck Teams enables teams to delegate different access levels to team mates for as long as they need it. Then, when they don’t, zip! You can take it away. Twitter has a video showing how to use it at the link above, which you can also see here on YouTube.

Twitter said at the time that if you were sharing your account, you could change the password and revoke app access to ensure that from now on only recently added people would have access.

The tool also makes it possible for anyone sharing an account to use Twitter’s two-factor authentication (2FA), or what it calls “login verification”.

That will send a one-time login code to a user’s phone that they need to enter in addition to a username and password. It’s another layer of protection against would-be account hijackers, since they’d need not only your login credentials but also your phone to take over your feed.

There have been multiple high-profile hijacking victims who’ve admitted that 2FA might have helped them avoid the nightmare of having their accounts taken over, their data wiped and/or vicious content posted on their Twitter accounts: technology reporter Mat Honan said as much after he had all of the data wiped from his iPhone, iPad and MacBook and had his Gmail and Twitter accounts hijacked.

But it’s worth noting that 2FA hasn’t been enough to stop some determined attackers. Naoki Hiroshima, a software developer and the rightful owner of the valuable @N Twitter handle, credits 2FA with probably preventing an attacker from logging into his PayPal account. But 2FA didn’t keep the attacker from socially engineering and extorting his @N handle away.

Nor did it help DeRay Mckesson, whose account was whisked out from under him by somebody using just his name and the last four digits of his taxpayer ID.

But while there are a few exceptions like these, there are heaven knows how many more hijackings that have been stopped by 2FA, so turn it on whenever and wherever you can.

Twitter’s Teams is yet more protection for high-profile accounts that would suffer a whole lot of embarrassment if they were to be hijacked.

Such accounts are typically updated by multiple people, and hence, may well be more likely to have limp, easy passwords that the whole team can remember – or ones that the team sends to each other via email/texting or that are scribbled onto sticky notes and slapped onto monitors.

Of course, all accounts should be secured with passwords that are tough as nails, be they for celebs, politicians, Twitter execs, or plain old civilians. Here’s our short, sweet video on how to hammer out a good set of nails for your accounts:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Follow @NakedSecurity
Follow @LisaVaas

  • 2FA
  • account hijack
  • account hijacking
  • hijacked
  • hijacked Twitter accounts
  • hijacking
  • passwords
  • Salem State University
  • weak passwords

Free tools

Sophos Home

Sophos Home
for Windows and Mac

XG Firewall Home Edition

XG Firewall
Home Edition

Mobile Security for Android

Mobile Security
for Android

Virus Removal Tool

Virus Removal Tool

Antivirus for Linux

Antivirus
for Linux

Post navigation

Previous: News in brief: Dubai launches its first robocops; Samsung woes over iris recognition; IoT security criticised
Next: LastPass’s new cloud backup option – sunny skies or a brewing storm?

About the author

Lisa Vaas

Lisa Vaas

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

w
Cancel

Connecting to %s

Recommended reads

Apr05
by Lisa Vaas
1

YouTube employee’s Twitter account hijacked during shooting

Jan18
by Lisa Vaas
1

Hijackers DM @realDonaldTrump from former Fox News hosts’ accounts

Oct13
by Lisa Vaas
3

Clinton campaign official’s Twitter account hijacked: “I’ve switched teams”

Aug23
by Lisa Vaas
1

Wikipedia co-founder Jimmy Wales’ Twitter account hijacked

Jun06
by Lisa Vaas
4

Mark Zuckerberg’s social media accounts hijacked

Jun07
by Lisa Vaas
24

Facebook hacking and godawful gold lamé sneakers

SOPHOS

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal

Network Protection

  • XG Firewall
  • UTM
  • Secure Wi-Fi
  • Secure Web Gateway
  • Secure Email Gateway

Enduser Protection

  • Enduser Protection Bundles
  • Endpoint Antivirus
  • Sophos Cloud
  • Mobile Control
  • SafeGuard Encryption
  • Learn More

Server Protection

  • Virtualization Security
  • Server Security
  • SharePoint Security
  • Network Storage Antivirus
  • PureMessage
  • Twitter
  • Facebook
  • Google+
  • LinkedIn
  • Feed
© 1997 - 2018 Sophos Ltd. All rights reserved. Powered by WordPress.com VIP