The back-to-back hackings of Burger King’s (BKW) and Jeep’s official Twitter accounts have big companies scrambling to lock down their social media channels. These hackings, both allegedly perpetrated by a New England DJ, have brought attention to the alarming security holes on many social networks—and the ease with which hackers from Beijing or Baltimore can take over your online identity.
Twitter continues to implement new security features. But really, who thinks social media will ever be unhackable? A primer for the understandably paranoid:
How do I know when a corporate account has been hacked?
“If it’s your personal account, oftentimes people will notify you once you’ve started tweeting out things that seem out of character,” according to social media and corporate brand strategist Kim Garst. “For example, if the hacker has started using your [Direct Message] function on Twitter to send links to your followers, they’ll typically let you know on some other platform that someone has hijacked your account.” For followers of corporate accounts, however, it may not be so simple. In addition to flagrant abuse of the “Caps Lock” key, the first indicator that your account has been hacked is blatantly “off-message” posts. Burger King’s account instructed followers to “Look for a McDonald’s in a hood near you.” During Jeep’s hacking, the company’s official account declared that “We just got sold to @Cadillac because we caught our employees doing this in the bathroom,” with an attached photo of a man with a prescription pill bottle. In short: If a corporate account isn’t trying to sell its own product, and says so in all capital letters, the password security has likely been defeated.
Wow. Who has been hacked in the past?
Everyone from multinational corporations to multiplatinum recording stars have been Twitter-jacked in the past. PayPal UK’s (EBAY) profile picture was changed to a pile of excrement and directed followers to the website paypalsucks.com after a disgruntled customer took over its page. A 15-year-old hacker took over the Twitter account of Westboro Baptist Church spokeswoman Shirley Phelps-Roper after the controversial church made comments about the mass shooting of elementary school students in Newtown, Conn. Even Britney Spears hasn’t been safe from hackers, who took over her page in 2009 to proclaim to her 3.7 million followers the singer’s newfound commitment to Satanism. Yes, she’d been hacked.
Who hacks these accounts? Is it the Chinese?
No. Given the use of the hashtag #Lulzsec in both the Burger King and Jeep hackings, the most obvious culprit is Lulz Security, a hacker group often associated with hacker cabal Anonymous that has claimed responsibility for several high-profile online attacks in the past several years. According to gadget blog Gizmodo, however, the hashtag may be a red herring to cover the tracks of a DJ who lives in Rhode Island.
Put more simply: The Chinese are unlikely to hack your company, unless you’re a defense contractor or Google (GOOG). Most of the time, hackers are simply out to embarrass a brand “for the lulz.”
Why would someone do this?
For the lulz? According to Garst, “It’s difficult to tell what the intent is behind these big corporate hacks. Usually when people are hacking personal Twitter accounts, it’s for spamming purposes, mostly to get people to click on links that are, well, unsavory.” LulzSec often uses its moment in the spotlight to further pet causes such as protesting the Cyber Intelligence Sharing and Protection Act (which privacy activists claim would allow the government to monitor private browsing information with impunity) or ending the war on drugs.
What do I do if my company’s account has been hacked?
If your account has been compromised, Twitter recommends that you change your password and revoke your handle’s connections to third-party applications like Instagram (FB). However, these instructions only help if your hacker hasn’t changed your password to bar you access to your own page. If that happens—as likely did with Burger King, which lost control of its account for more than an hour—a support request may be in order, which will allow Twitter to shut down your account remotely. However, this may take a while, during which your hacker can continue to cause chaos. After you’ve wrested control back, it’s important to distance yourself from whatever mayhem your hacker has caused; Burger King released a statement “apologiz[ing] to our fans and followers who have been receiving erroneous tweets about other members of our industry and additional inappropriate topics.” As for Jeep, Chrysler responded on its official feed: “Thanks for all the heads up on one of our brand accounts. The team is on it. It’s good so many of you have our back.”
How do I prevent future hacks?
Many hacks occur because of overly simplistic passwords, or easily identified answers to password-reset questions. Sarah Palin’s Yahoo! (YHOO) account was hacked when a college student used her Wikipedia page to find Palin’s birth date, one of the standard security filters used by Yahoo when resetting a password. So change your password every few months. And even then, stay alert. “Using good passwords—and changing them frequently—are a great start,” says Garst. “But phishing techniques are getting more sophisticated, and even official-looking e-mails can just be fronts for more nefarious purposes.” Also, limit the number of third-party applications that have access to your page. Instagram and Farmville are probably not going to abuse your account, but giving an application access to your Twitter page is like giving a copy of your house key to an unreliable friend.