CNN host Anderson Cooper said someone hijacked his Twitter account while he was asleep. The incident serves as a reminder that the Twitter feeds of (media) brands have become high-value targets for pranksters, online criminals and hacktivists.
How can news organizations and journalists better protect themselves against having their Twitter accounts hijacked or sabotaged?
CNN's initial announcement in December came after a tweet from Cooper's handle called President Trump a “tool” and a “pathetic loser.” CNN tweeted that “someone gained access” to his account.
just woke up to find out someone gained access to my twitter account. i have not sent a tweet in days or replied to any tweets. We are looking into how this happened.— Anderson Cooper (@andersoncooper) December 13, 2017
The account wasn't "hacked", technically. It turns out that Cooper's assistant left his phone - which was logged in to the Twitter account - unattended at the gym. So goes the story, at least, and they're sticking to it.
Someone seized the opportunity. For many journalists with far fewer than Cooper's almost ten million followers on Twitter, that didn't come as a big surprise. After all,
2017 was the year of Twitter account hijackings.
Pwnd or pranked - this is what can happen when major (media) brands, VIPs or politicos treat operational cybersecurity as an afterthought on social media.
For news media using Twitter, the writing has been on the wall for a long time. In 2013, the account of news agency AP was hacked by targeting the account owner with a phishing email.
A fake news tweet "reported" a bomb explosion in the White House and caused a mini-crash in the stock market.
The risk of attacks leveraging social media is highest in the broadcast industry and in the social media departments of large corporations and PR agencies, where smartphones and computers serve as the universal power tools for research, communication, production, and media distribution.
In the heated political climate of 2017, the Twitter accounts of big brands, journalists and other "influencers" have become trophy targets for politically motivated social media hijackers.
- Earlier this year, the Twitter account of McDonald's was hijacked and used to let loose against Trump.
- In crisis regions like Venezuela, Bahrain and Myanmar, the Twitter accounts of political activists were hacked to silence and intimidate them.
- In November, a Twitter contract worker switched off President Trump's Twitter account for 11 minutes before he left the office on his last day at work.
The November incident shows that user negligence and hack attacks targeting their accounts are not the only significant risk factors (media) brands need to consider when using social media.
They should also continuously monitor how the platform handles cybersecurity internally. Also, which shortcuts does it provide to pull the plug in case of emergency?
All major social media sites have suffered severe IT security breaches in the past.
The lax attitude of Twitter and Co. (and their inability or unwillingness to exclude spam-and-scam bot brigades from their platforms means that journalists and other news media professionals need to be even more vigilant about cybersecurity where they can control it - on their own devices.
That a journalist's Twitter account is barely active and only has a few dozen or a few hundred followers doesn't mean it is not a target, especially if the owner manages it from systems that are connected to newsroom operations.
Targets of opportunity
Social media accounts are often targeted not to hijack them, but because they are cybersecurity soft spots on the organization's IT perimeter.
Even a rarely used Twitter account can serve as a gateway for deeper penetration of the media outlet's internal or external network and resources, for example by sending a DM with a phishing link to selected contacts.
What precautions can journalists and other Twitter users in the media industry take to prevent damaging data breaches?
10 Basic Security Tips for News Media Pros on Twitter
"A small number of easy-to-use tools, techniques, and habits are always safest." Journalist Security Guide - Committee to Protect Journalists
Let's look what news media professionals on all levels can do to better protect themselves and their brand on Twitter:
- Check out these 15 ways for journalists while using social media and the internet by the Knight Center of Journalism in the Americas.
- Make #1 on that list part of your cybersecurity policy: "Never leave your computer with your e-mail open or any other personal information." Note to Anderson Cooper's assistant: Your phone is a computer. Amazing, uh?
- Many smartphones are harder to secure against attacks than notebook and desktop computers. Because more than 80 percent of attacks use web-related exploits, using a secure remote browser like Silo whenever possible provides protection against all web-borne attacks.
- Head over to About account security on Twitter's website. Bookmark the section [Security and hacked accounts].(https://help.twitter.com/en/safety-and-security#hacked-account).
- Create a secure password for your Twitter account only (never, ever use the same password twice for different services). A short, unique sentence with special characters mixed in will be tough to crack. Check out the post 8 Easy Tips for Better, More Secure Passwords by Authentic8 CEO Scott Petry on this blog.
- Activate 2-factor authentication (2FA) to receive a confirmation code by SMS for each Twitter login or password reset:
Note to Anderson Cooper's assistant: this will only protect your Twitter account if someone tries to access it from a different device and NOT from the same unlocked phone that receives the SMS message. Duh.
- Reduce the number of apps that are allowed to tweet on your behalf or manage your Twitter profile (such as photo sharing and social media tools) to a minimum.
- Access the web, including Twitter's web interface, primarily from devices that provide more robust security and anonymity than smartphones. Use secure remote browser isolation to prevent exposure of your working platform to malicious code from the web and to protect your privacy.
- Manage shared Twitter accounts using a social media manager like Buffer or HootSuite that offer an extra layer of 2FA protection. Where several team members are handling one or more Twitter accounts, access to the social media CMS should be centrally provisioned. This prevents security vulnerabilities when members leave the team.
- Protect yourself against phishing attacks by not clicking unknown links, files or account verification prompts sent to you unrequested. The hijacking of AP's Twitter account mentioned earlier was prepared through a phishing attack.
For journalists, is Twitter worth the risk?
The job of news media professionals is to report the story. They shouldn’t have to worry about cybersecurity, which should be easy.
Instead, they put themselves (unknowingly) in harms way every time they go online from the field, where media workers often have to rely on unknown networks and unprotected WiFi.
Twitter or other social media accounts exacerbate that risk.
Anderson Cooper's rude awakening is just one more example that many journalists treat cybersecurity as an afterthought. For Cooper and CNN, the fallout from last week's mishap could have been much worse.
Think about it:
The assistant's phone was left unlocked and unattended at the gym while its apps were logged in to social media accounts with millions of followers.
What about the email account(s) on the phone? Or Anderson Cooper's contact list, with private phone numbers or confidential VIP email addresses?
Perhaps a password manager app was open, too?
If one abusive tweet is all that happened, Cooper and his assistant can consider themselves lucky.